VION 


3 1761 11701352 4 


+ 


Treasury Board o of Canada ae Conseil du Trésord du Canada 
Comptroller General - _ Controleur général 


HING AND DEVELOP 
EFFECTIVE INTERNAL AUDIT F 


amendment 
number 


a 


Record of Reissues and Additions 


amendment 
number 


date inserted date inserted 


inserted by 


Digitized by the Internet Archive 
in 2024 with funding from 
University of Toronto 


https://archive.org/details/31 761117013524 


INTERNAL AUDIT HANDBOOK 


© Minister of Supply and Services Canada 1985 
Available in Canada through 


Authorized Bookstore Agents 
and other bookstores 


or by mail from 


Canadian Government Publishing Centre 
Supply and Services Canada 
Ottawa, Canada KIA 0S9 


Catalogue No. BT66-4/1985-1E Canada: 24.95 
ISBN 0-660-11799-| Other Countries: 29.95 


Price subject to change without notice 


Published by 
Communications Division 
Treasury Board of Canada 


Internal Audit Handbook 


FOREWORD 


Purpose 


This Handbook is being developed and maintained through the combined efforts of a 
number of Working Groups under the general direction of the Interdepartmental 
Advisory Committee on Internal Audit (IACIA), and specific direction of the Sub- 
committee for Methodology Development. It replaces the Internal Financial Audit 


Handbook while building on the foundation provided therein. 


The prime motive in the development of this Handbook derives from a recognition 
by the internal audit community that in attempting to expand the scope of internal 
auditing within the Government of Canada, from primarily financial to broad-scope 
auditing as defined in the Standards for Internal Audit in the Government of Canada 
(Standards), considerable effort was being expended by individual departmental 
internal audit groups on the development of internal audit handbooks and audit 
methodology. The IACIA concluded that there would be advantages in a pooling of 
resources. The result was the formation of the Sub-Committee for Methodology 
Development and a number of working groups representing both members of the 
internal audit community and non-audit personnel (functional specialists and line 
managers). Non-audit personnel provide the technical and functional expertise 
required for development of guidance for broad-scope auditing. The contents of 
the three volumes which comprise this Handbook are, and will continue to be, the 


result of this combined effort. 


The purposes for developing and issuing this Internal Audit Handbook may be 


summarized as follows: 


(a) to communicate the IACIA's suggested principles, concepts, processes, methods 
and techniques for internal auditing in order to provide useful guidance through 


which the quality and efficiency of internal audit may be maintained or improved; 


(b) to minimize the duplication of development effort on the part of individual 


departments in producing internal audit manuals and audit methodology; 


Internal Audit Handbook =f 4= 


(c) to provide a source of material for both formal and on-the-job training for 


internal auditors; 
(d) to assist in the implementation of the published Standards; 


(e) to provide mechanisms and criteria through which meaningful performance 
measurement may be established for internal audit processes, functions and 


personnel; and 


(f) to provide a base and a repository for evolving internal audit practices consid- 


ered beneficial to the audit community. 
Use 


It should be made clear that while the Handbook is the product of joint efforts of 
knowledgeable individuals, it is not the definitive authority on any subject matter 
presented. The material was assembled, analysed and written by a representative 
sample of auditors, managers and specialists. This process is designed to ensure, to 
the extent possible, that the joint wisdom available in the community has been 
brought to bear in the development and review of the product. By the time the 
final version is in place, it will have been reviewed and/or tested in a number of 
federal government departments and agencies. It should, accordingly, be the best 
reference available for internal auditing in this environment. Subsequent editions 
will be prepared based on more recent audit literature and on experience gained 


through implementation in the federal government environment. 


A word of caution may be in order at this time. As described above, very real 
benefits could result from the judicious use of this Handbook. However, given the 
generic nature of much of the content and recognizing that the knowledge base for 
broad-scope internal audit is growing at a considerable rate, much of the material 
will have to be revised and augmented over time. Accordingly, the user must 


remember, as befits all handbooks, that: 


'(1) | this Handbook is intended to be merely a guide and not a substitute for the 


auditor's judgement, imagination, and initiative; 


Internal Audit Handbook - iii - 


(2) as the Handbook is general in nature, often covering material quite broadly 
because of the need for consistency on a governmental basis, it is essential 


that each department adapt the material to meet its requirements; 


(3) standard audit procedures cannot be used in a mechanical way, but must be 


adapted to the needs of the actual situation; and 
(4) standard audit procedures are not a substitute for careful supervisory attention. 


Internal audit groups should continue to develop specific material tailored to their 


unique needs. This Handbook is intended to provide a useful starting point. 


Organization 


This Handbook consists of three Volumes. Volume I is dedicated to establishing and 
developing an effective internal audit function. Volume II deals with Internal Audit 


Concepts and Practices. Volume Ill is reserved for Internal Audit Guides. 


The intent of this organization is two-fold. First, it segregates three major aspects 
of internal auditing (1) establishing and developing an effective internal audit 
function; (2) generic internal audit principles and practices; and (3) specific audit 
guidance. Second, it segregates a large amount of material into more manageable 
components based on their frequency of use and the varying needs of the anticipated 


users. 


It is our intention of publish Volumes I and II as two complete units, whereas 
Volume III will be published in the form of individual Guides, as they become 


available. 


Internal Audit Handbook ~ty- 


Evolution of Internal Audit in the Government of Canada 


A brief discussion of the evolution of internal audit in the federal government will 
provide a more meaningful perspective to such questions as: Where has the function 
come from? What is its present state? and perhaps most importantly, Where is it 
going? These questions apply equally from both a departmental and internal audit 


community viewpoint. 


Internal audit, while evolving and developing as a profession, has long been considered 
an important element in the management control process. The need for this element 
of contro! within the federal government was identified as far back as 1962 when 

the Glassco Commission recommended that departmental management be responsible 
for establishing and maintaining proper systems of internal audit. In 1966, Treasury 
Board responded to this recommendation and a policy was published in the Financial 
Management Guide. In 1973, a number of directives issued in the Guide on Financial 
Administration, which replaced the earlier Guide, made internal financial audits 
mandatory for all departments. In 1978, Standards for Internal Financial Audit in 

the Government of Canada were approved by the Treasury Board and issued by the 
Office of the Comptroller General. These standards substantially expanded the 


direction given to internal financial audit groups. 


Traditionally, internal audits were confined to assessing the degree of compliance 
with prescribed financial policies, regulations and other directives. In some depart- 
ments operational audits were introduced resulting in the expansion of the scope of 
internal audits. The Auditor General Act enacted in 1977 required the Auditor 
General to report on cases where there had not been due regard to economy and 
efficiency and satisfactory procedures had not been established for measuring 
effectiveness. More recently, a government commitment was made through the 
Office of the Comptroller General to expand the audit scope, to support and improve 
the effectiveness of internal auditing and to monitor its development throughout 


the federal government. 


To deal with the shift from primarily financial auditing to the broad-scope auditing 
covering all departmental operations, the Standards for Internal Financial Audit 


were replaced in April 1982 by the Standards for Internal Audit in the Government 


Internal Audit Handbook -V- 


of Canada. These Standards, purposely forward looking, are intended to provide 
departmental internal audit functions with the structure on which to build a more 
effective organization capable of making significant contributions towards improved 


management practices within their departments. 


Internal audit functions are in various stages of development. Effectiveness of the 
internal audit function is very much dependent on the degree of support from, and 
participation of, senior management in the audit activities. However, improved 
organizational arrangements and support, in conjunction with an approved policy 
from the deputy head are not enough. Better quality audit practices are essential 
for effective internal auditing. Although departments nave made steady and signi- 
ficant progress in a relatively short period of time, much has still to be made. 
Furthermore, while advancing along the development curve, new and increasingly 
challenging opportunities will continue to present themselves to internal auditors 
(e.g. Pre-Implementation Audit). While it is anticipated that the implementation 
of the existing Standards will foster a higher level of effectiveness for the internal 
audit function as a whole, it is likely that they too will have to be revised and 
updated at some later date to reflect future developments and evolving circumstances 


(e.g. Parliamentary Reform, Access to Information and Reform of the Estimates). 


It is the intention here to provide assistance to the audit community in advancing 
the development of internal auditing in the federal government as an effective 


management tool. 


ge Chg) TY EGeginnigg ts a yy ‘e very 
= bi a) oe atin a Se of? 5 
4 Pipl sre inh * is “rh 


7 nee 


ee ee ee Pe a ee 
‘ pant : AS TASS APA tee , sie 
cirernnigna™ AV T = 
wars Omg bee + hy ona 
F yi 5 ' ' i) Neewinee u een be 
ed j dice tigen a a) mh, 
. te Ao galien RAe « riers 
: oy 1h * ADE nk - | 
TE | 
pelo ea? gel (ems ie 
oil) any as Some sly 
(poems be: hoes rita oil 
ah) Ate Oe iar eRe 
‘(te , 
i Apo erart noite aags if 
: pial du venttth if reenigoliagiatts efi 
22 O@ aah fe a ot 
i (Oe . 
- 


a , eo 


hg eo 


jaieira Ce weet 
, 7 


> = 


ba ”? - 


VOLUME I 


ESTABLISHING AND DEVELOPING AN EFFECTIVE 
INTERNAL AUDIT FUNCTION 


Prepared on behalf of 


Treasury Board of Canada 
Comptroller General 
Interdepartmental Advisory Committee 


on Internal Audit 


Ottawa, Ontario 
KIA 1E4 


16 Vinelad coe 
Stone to tied we 2 
+ gat |. re 
‘imnawo Tile 
S| na eA. eivames a 


ric fea rh 


sale. 


INTERNAL AUDIT HANDBOOK 


TABLE OF CONTENTS 


VOLUME I ESTABLISHING AND DEVELOPING AN EFFECTIVE INTERNAL 
AUDIT FUNCTION 


Table of Contents 


Introduction 


Chapter One 


Chapter Two 


Chapter Three 


Chapter Four 


Appendix A 


Appendix B 


Appendix C 


Appendix D 


Appendix E 


Appendix F 


The Internal Audit Policy 


The Audit Committee 


Development of Internal Audit Plans 


Management of the Internal Audit Group 


Accountability Reporting System 


Internal Audit Manual - Table of Contents 


Risk Determination For Internal Audit 
Planning Purposes 


Bibliography 


Internal Audit Standards - Summary 


Code of Ethics 


Policy Interpretation Notices 


“pe 


VOLUME II INTERNAL AUDIT CONCEPTS AND PRACTICES 


Introduction 


Chapter One 


Chapter Two 


Chapter Three 


The Internal Audit Assignment Process 


Introduction 
Section One Assignment Planning 
Section Two Review 


Section Three Evaluation 


Section Four Verification 
Section Five Reporting 
Conclusion 


Analysis Concepts and Practices for 
Internal Auditing 


Introduction 
Section One Analysis Concepts for 
the Internal Audit Process 
Section Two Analysis Practices for 
Internal Auditors 
Conclusion 


Control: Concepts and Applications 
for Internal Auditors 


Introduction 

Section One Internal Audit and 
Control Theory 

Section Two Systems Modelling and 


Control Theory 
Section Three Control Models For Audits 


Section Four The Auditor's Use of 
Control Models 


Conclusion 


oR 


Chapter Four Management Control Concepts and Practices 
Introduction 
Section One Managers, Auditors and 


Management Control 


Section Two Defining Control and 
Controlling 


Section Three Contribution of Management 
Functions to Control 


Section Four Audit of the Management 
Process 
Conclusion 
Chapter Five Internal Audit Approaches (Lines of Inquiry) 
Introduction 
Section One Responsibility Centre Auditing 
Section Two Program Auditing 


Section Three Function Auditing 


Section Four Systems Auditing ° 
Section Five Pre-Implementation Auditing 
Section Six Follow-up Auditing 


Section Seven Special Audits 


Conclusion 


Chapter Six Audit Evidence 
Introduction 


Section One Evidence and its Position 
in Audit Theory 


Section Two Types of Evidence and Methods 
By Which it is Gathered 


Section Three Determining what Constitutes 
Sufficient, Valid and 
Relevant Evidence 


shies 


Section Four Audit Evidence Evaluation 
Conclusion 

Chapter Seven The Concept of Reliance as it Applies To 
Internal Audit 
Introduction 
Section One Reliance on Management 
Section Two Reliance on/by Other Audit and 


Quasi-Audit Activities 


Section Three Reliance on/by Program 


Evaluation 
Conclusion 
Chapter Eight Auditor-Auditee Relations 
Introduction 
Section One Role-Related Influences 
Section Two Organization - Related 
Influences 


Section Three Audit Process-Related 


Relationships 
Section Four Implications of Non-Audit 
Activities 
Conclusion 
Chapter Nine Communications Concepts for Auditors 


(Reserved for Future Chapter) 


VOLUME Ill INTERNAL AUDIT GUIDES 
(Reserved for Future Guides - These will 
be released individually as completed) 


VOLUME I 


ESTABLISHING AND DEVELOPING AN EFFECTIVE INTERNAL 


TABLE OF CONTENTS 


AUDIT FUNCTION 


Introduction 


Chapter One 
Chapter Two 
Chapter Three 
Chapter Four 


Appendix A 
Appendix B 
Appendix C 
Appendix D 
Appendix E 
Appendix F 
1983-01 
1983-02 
1983-03 
1984-01 


1984-02 


1984-03 


The Departmental Internal Audit Policy 
The Audit Committee 
Development of Internal Audit Plans 


Management of the Internal Audit Group 


Accountability Reporting System 
Internal Audit Manual - Table of Contents 
Risk Determination for Internal Audit 


Planning Purposes 


Bibliography 


Internal Audit Standards - Summary 
Code of Ethics 


Policy Interpretation Notices 


Introduction to the Issuance of Policy 
Interpretation Notices 


Audit Working Papers 


Principles for Internal Audit Follow-up Activity 


Auditor Judgement 


Treatment of Access to Information Requests 


for Audit Information 


Pre-Implementation Audit 


Page 


. iu 

7] 
= 

arr 
ae nae 


ving yo! 


» mite 


(maa w?s 


ou 
"> =a) F Tae 


Internal Audit Handbook 
Volume I, Introduction TOS 


INTRODUCTION 


Volume I is dedicated to guidance on the establishment and development of an 


effective internal audit function. 


® In Chapter One - The Departmental Internal Audit Policy is discussed in 
terms of its components. A well-developed internal audit policy, approved 
and signed by the deputy head and widely promulgated within the depart- 
ment represents internal audit's authority or mandate. It should clearly 
communicate the roles and responsibilities of everyone involved or 
connected with the audit process. As circumstances evolve, changes to 
the internal audit function should be anticipated and the policy should 


be reviewed and revised accordingly. 


® Chapter Two is devoted to a detailed discussion of the audit committee. 
This is an evolving mechanism. Due to its importance as a source of 
advice to the deputy head and as a facilitator of internal audit activities, 


it is felt that it warrants a separate chapter. 


® Chapter Three discusses the development of internal audit plans from a 


function point of view. 


@ Chapter Four is devoted to discussion of the essential elements of the 
internal audit group's management process, including responsibility 


centre planning, implementation and control. 


Although a separate chapter is devoted to each of these areas, collectively they 
form the basis for the infrastructure of internal audit. The degree to which they 
are developed will have a direct bearing on the effectiveness of internal audit 


functions. 


mop reg 


/! rv 4 fa eee A 
7 
‘ ian teh} ¥ \ ¥ o ae" ie 
= ify > Iikere@ hl 


a? rs ob 1 & ei 


Ti ea | ) MRSS a ti ee 
— a _— Ce Shere 
a oe i . int V¥S4 aD 
i) ¢ att 
ce ae 
le J Lear a 
ore o rey 
j ' ionw Gl we 


hav pi! hay “ (eae OF (-Srasan & a 
7 dlp) iP ae wl .nwike 7 [ 


se 


I Ths | i j 7 pei, oa 7% nit " a inane! rats 3 Se 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.1 


CHAPTER ONE 
THE DEPARTMENTAL INTERNAL AUDIT POLICY 


1. OVERVIEW 


An Internal Audit Policy, authorized by the deputy head, is the formal pronouncement 
to departmental management and staff of the establishment of a departmental 
internal audit function. The policy statement is usually designed to set out the 

roles, responsibilities and relationships of both the internal audit group and depart- 
mental management and staff in the conduct of internal audits. It provides the 


internal audit group with a "mandate" to conduct internal audits. 


The policy by itself should not be construed as a means for getting auditees to 
accept internal audit findings and recommendations. The best that can be expected 
is that it will sensitize managers to the potential benefits of internal auditing. The 
degree of acceptance by auditees, clients or users of internal audits, will be highly 
dependent on the quality and significance of the auditor's end product, expressed in 


terms of findings, conclusions, opinions and recommendations. 
The Internal Audit Policy establishes the framework within which internal audit 
operates. It should provide a clear mandate, be authorized by the deputy head and 
be promulgated throughout the department. The purposes of the internal audit 
policy are to: 

1) define the role of internal audit; 

2) define the scope, operating criteria, and frequency of audits; 

3) clarify internal and external relationships; 


4) state the reporting requirements; and 


5) state the audit response and follow-up requirements. 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy ioe 


The following sections of this Chapter provide an indication of what the internal 


audit policy might cover, for each of the above mentioned headings. 
2. ROLE OF INTERNAL AUDIT 


The primary role of the internal audit group (per Standard No. 1) is to provide an 
independent, systematic review and appraisal of all departmental operations for 
the purpose of advising management as to the economy, efficiency, and effective- 


ness of internal management policies, practices and controls. 


Internal auditing assists the deputy head by either providing assurance that the 
operations are well managed or by identifying weaknesses in management policies, 
practices and controls and identifying opportunities for improvement. This is most 
successfully accomplished through the identification, review and evaluation of the 
existing control framework against a predetermined control framework for the 


audited entity. 


It is recognized that internal audit can play a number of roles in a department, 
including coordinator for external audits and that of training ground for aspiring 
departmental managers. It should be remembered however that these roles are 
secondary to the one mentioned above. This should be reflected in the policy by 
including such roles under various other headings in the policy (e.g. external relation- 


ships) or by clearly identifying them as secondary roles. 
3. SCOPE OF ACTIVITIES 
Scope of Audits 


Internal auditing should provide senior management with an independent appraisal 
of all aspects of departmental operations. The internal auditor should assess and 


express an opinion on: 


a) the design, development and implementation of all significant systems, 
procedures, processes and controls (including departmentally initiated 


legislation and those required by central agencies); 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.1.3 


b) the reliability and adequacy of information available for decision-making 
and accountability purposes; 


c) the extent to which available information is utilized in the decision- 


making process; 
d) the adequacy of protection afforded public funds and assets; and 


e) the extent of adherence to legislative, central agency and departmental 


direction. 


Also, although departmental internal audit groups have no direct responsibility for 
evaluation of legislation, policies, procedures, etc., of other departments or central 
agencies, where they discover weaknesses during the course of auditing, they are 


expected to bring these to the attention of those responsible. 


In summary, the scope of internal audits should be unrestricted within its host 


departmental or agency boundaries. 
Frequency of Audits 


The frequency of internal audits depends on a number of varying circumstances. 
Therefore, no set rules can be established as to the number of times each activity 
should be reviewed in any given period. However, as a minimum requirement, no 
major systems, functions and organizational units performing significant respon- 


sibilities should go unaudited for more than five years. 


Within the above timeframe, the actual frequency of audit for any specific auditable 
unit will depend upon a number of factors including, but not limited to, materiality, 
importance to management, degree of risk and opportunity for savings or improve- 


ments. 


Frequency will be discussed in more detail in Chapter Three - Development of 
Internal Audit Plans. Its mention in the policy statement informs managers that 
audits in their areas can be expected at least every five years. It also provides 


some basis for determination of internal audit resource requirements. 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy I.1.4 


Objectivity and Independence 


One of the virtues of an independent audit function is its ability to provide managers 
with objective feedback and advice regarding the state of their operations. Because 
of the broadened scope of internal audit, as described above, the pressure on the 
internal auditor to become and remain knowledgeable of the various operations of 
the department has increased. Nevertheless, a balance must be struck between the 


requirement for familiarity and the requirement for independence. 


On the one hand, auditors must be free of any bias in connection with the entity 

they are auditing. They must be impartial and disinterested in the conclusions 
reached and must express these conclusions honestly and impartially. This is the 
concept of "objectivity". Not only must the auditor avoid any action or circumstances 
that could actually impair objectivity but, anything that would give even the 


appearance of impairment of objectivity must be avoided. 


On the other hand, the effectiveness of internal auditors is dependent on both 
objectivity and knowledge of auditee operations. Therefore internal auditors cannot 
remain remote from departmental management staff and activities. In fact, it is 

in an internal auditor's interest to become knowledgeable about departmental 
operations and to establish and maintain good working relationships and lines of 


communication within the organization. 


To ensure independence, and therefore objectivity, in the internal audit function, 

the policy should state that internal audit personnel should not be directly involved 

in developing or implementing departmental policies, systems, procedures or processes. 
However, to avoid or minimize costly adjustments after new policies, systems, 
procedures or controls are implemented, the internal audit function should offer 
constructive advice during the development phase concerning the adequacy of 
controls, the efficiency where appropriate, and the subsequent auditability of the 


new or revised activity or system. 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.1.5 


To transpose an apt phrase for this situation from a book by Sonja Sinclair! on the 
Office of the Auditor General, - relations between the auditor and the auditee 
should be "cordial but not cozy". 


Authority of an Internal Audit Group 


The authority of the internal audit group must be clearly enunciated in the depart- 
mental audit policy. This is doubly important given that, with the broadened internal 


audit activity, many managers will be subjected to an audit for the first time. 


The policy should clarify auditor/auditee responsibilities in terms of access to infor- 
mation and staff. It should specify that the auditors are entitled access to all 
departmental information, records, documents and reports deemed necessary to the 
fulfilment of their responsibilities. It should also indicate that auditors are entitled 
to reasonable access to all departmental staff, including management, in order to 


obtain information and discuss findings relating to their reviews. 


In addition, it must be made clear that internal auditing is a staff rather than a line 
function. Therefore, internal auditors do not, and should not, exercise direct 


authority over other activities in the department or agency. 


1 Sonja Sinclair; Cordial But Not Cosy: A History of the Office of the Auditor 
General; McClelland and Stewart; 1979. 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy LEG 


4. INTERNAL AND EXTERNAL RELATIONSHIPS 
Deputy Head 


The organizational status of the internal auditing function and the support accorded 
to it by the senior management of the department or agency are among the major 
factors which will determine its effectiveness. Policy statements notwithstanding, 
the level in the organizational hierarchy at which the internal auditing group is 
placed, and the officer to whom the head of internal audit reports, determines to a 
major extent the authority of the internal auditing group. It also discloses to others 
in the department or agency the degree of commitment senior management has to 
the nature and scope of the internal auditing role. Without adequate organizational 
status there are very real limitations regarding access to higher level management 


officials and the kind of reception accorded to the internal audit groups. 


Rather than discouraging flexibility by establishing rigid standards, departments 

are encouraged to organize in such a manner that their differing requirements can 

be accommodated. This must be done without impairment of the independence 

(and hence the effectiveness) of the audit group. It is recognized that a number of 
factors will be employed in determining the reporting level of the head of the audit 
group. In this respect a direct reporting relationship to the deputy head is encouraged, 
however, factors such as the deputy's span of control or the size and nature of the 
department may make this impracticable. To provide an adequate degree of inde- 
pendence, the head of the internal audit group should report to the deputy head or 


to another senior executive officer who reports directly to the deputy head. 


Independence is enhanced when the head of internal audit reports to an individual 
with sufficient authority to ensure broad audit coverage, adequate consideration of 
audit reports and appropriate action on audit recommendations, and breadth of 
knowledge and experience to provide guidance. If the audit function does not report 
to the highest practical organizational level there is a danger that auditors will be 
subjected to internal management pressures which could compromise its independence 
and thereby diminish its overall effectiveness. Ideally, the head of the internal 

audit group should be independent of officials who are responsible for operations 


subject to internal audit. If appropriate reporting relationships are established and 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.1.7 


maintained, internal auditors will be able to carry out their work objectively and 


report their conclusions completely without fear of censure or reprisals. 


The internal audit function should be organized in a single group independent of the 
operations it must review. It should not be subdivided, with separate groups reporting 
to program managers. There are several reasons for this. A single internal audit 
group reporting to the deputy head, or to a senior executive officer who reports 
directly to the deputy head: 


- provides advantages of greater independence; 


- fosters a broad viewpoint on the interrelationship of organizations and 


functions within a department or agency; and 


“ places the internal auditor in a better position to make systematic and 
independent evaluations of and reports on all departmental programs, 


activities and operations. 


A single audit organization also facilitates the attraction and retention of better 
managerial and staff capability, more effective staff use, and increased coordination 
of audit effort and interrelated findings. In addition, under unified direction and 
supervision, a single audit organization permits the devotion of a greater portion of 
total staff time to specific audit assignments, and provides greater opportunities 


for tailoring staff assignments to the talents and experience of staff members. 


Some, but not all, of these advantages may be retained by a decentralized audit 
function with centralized functional direction, and associated review. On the other 
hand, there can be advantages to decentralization, such as better acceptance and 
knowledge of the auditee environment, which may compensate for some of the 


losses. 


In summary, the effectiveness of internal audit can be improved and flexibility can 


be maintained by observing the following: 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.1.8 


- the head of the internal audit group reports, where practicable, to the 


deputy head of the department; 


- in all other circumstances, the head of the internal audit group reports 
to a senior executive officer who reports directly to the deputy head, 


and who is not responsible for operations subject to internal audit; 


- the audit group is not subdivided, with separate groups reporting to 


program managers; and 


- the group conforms to the standards concerning the reporting of findings 


to the deputy head, regardless of organizational relationships. 
Audit Committee 


This committee, preferably chaired by the deputy head, is composed of senior 
executives who assist the deputy head in the effective discharge of his/her respon- 
sibilities, in matters relating to the management control framework within the 


organization. 


Due to the significance of this committee's role as it affects internal auditing, and 
the role it might play for the department in general, a detailed discussion on the 
audit committee is included in Chapter Two. This information should assist depart- 
ments in developing their committee's roles and responsibilities, including its 
relationship with the internal audit group, and to reflect these in the internal audit 


policy and in the terms of reference for the committee itself. 
Departmental Management 


In the day to day conduct of its affairs, the internal audit group will be in continuous 
contact with all levels of management throughout the organization. It should be 
made clear that the audit function is an advice function and that management 


retains full responsibility for the operations under review. 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.1.9 


The internal auditor is to be held responsible for producing audit plans and carrying 
out audits resulting in reports which advise management on the state of their 
operations and on remedial action. Management, in general, should be expected to 
provide input to audit planning. The deputy head should approve internal audit 
plans on advice from the audit committee. Responsibility Centre managers should 
be expected to: work with the auditors such that the audit process is optimized in 
terms of cost-effectiveness, respond to the findings, conclusions, opinions, and 
recommendations expressed by auditors in their audit reports, develop action plans 
based on the audit report recommendations and implement the action plans once 


they are approved. 
Human Resource Development 


A role for internal audit, as a service to management, might be in the area of human 
resource development (management training, interchanges, etc.). As one of the 

few functions which gets involved in all areas of departmental operations, it is 

ideal for providing aspiring managers with an opportunity to broaden their perspective 
and knowledge of the department while acquiring some grounding in management 


control theory and practices. 


Where the department expects to use the internal audit group as a training ground, 
this intention may be reflected in the internal audit policy, in terms of the respective 


parts the head of internal audit and managers are expected to play in this process. 
Other Departmental Evaluation Groups 


To avoid or minimize duplication of effort there should be a regular exchange of 
information, particularly of plans between the internal audit group and other depart- 
mental evaluation and review groups. Where practical, the internal audit group 
should participate in joint reviews with the other groups to minimize disruption to 
departmental operations. In any case, the internal audit group should review the 
operation of these groups, as they would any other control, and rely on their data 


to the degree warranted. 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.16 


External Relationships 


The internal audit policy should reflect support for the liaison role of the head of 
internal audit as to dealings with the Office of the Auditor General, the audit/ 
evaluation/review groups from the Audit Branch of the Public Service Commission, 
the Treasury Board Secretariat and the Office of the Comptroller General. This is 
done for the purposes of avoiding, or at least minimizing duplication of work and 
disruption to departmental operations. The internal audit group would also be 
expected to submit and/or exchange reports, and in some cases working papers with 


the above agencies. 


In addition, the internal audit group should be prepared to respond to requests for 
its reports and associated records per the new Access to Information Act, and possibly 


the Privacy Act. (More will be said on this in other parts of the Handbook.) 


Finally, mention should be made of the internal audit group's liaison role with 
professional bodies such as the Institute of Internal Auditors and the Canadian 


Comprehensive Audit Foundation. 


Audit Agents 
t 
The policy should reflect at least two ways in which the head of internal audit may 


be affected by, or involved in, contracting for audit agents. 


The first is in contracting for internal audit services. Many departments employ 
"agents" to conduct some or all of their internal auditing. The Audit Services Bureau 
of Supply and Services Canada is a major agent of this type. There are also many 


private sector accounting and consulting firms offering internal audit services. 


Departments using agents for internal audit purposes interface with these agents in 
several different ways. Some departments engage agents to conduct a full internal 
audit; some supplement the work of an in-house audit group; other departments 

have all the audit field work done by agents and only have one or more internal 

staff members who, on a full-time basis, coordinate, analyze and instigate corrective 


action based on agents' reports. These are all acceptable forms of organization. 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.1.11 


Although actual audit work may be assigned to agents, the responsibliity for the 
audit function remains with the department. The department should have a written 


agreement with the agent which should clearly specify: 


- the authority and responsibilities of the auditor, 

- the scope of the audit work, 

- the reporting relationships, 

~ the department's right to approve plans and schedules, and 


- the treatment of working papers. 


Sufficient control over contracting for audit agents should be exercised to assure 


that the audits proposed and carried out are cost effective. 


Reference should be made to Treasury Board's policies on contracting, particularly 
Chapter 310. 


The second involves the head of internal audit in providing advice to management 
on contracting for audit services (e.g. management reviews, contribution audits, 
etc.). In such cases the head of internal audit should not assume any direct respon- 
sibility. For example, internal audit groups should not be responsible for the 
establishment of audit criteria or participate in the administrative arrangements 
for carrying out management reviews or contribution audits of recipients. Other- 
wise, internal audit would be an element in the management control process related 
to the particular program, function or operation. It may not therefore be perceived 
to be objective in assessing that part of the management system at a ijater date. 
Consultative advice is to be provided only on an exception basis so that internal 
audit does not become part of the ongoing administrative and management control 


structure and process. 


5. REPORTING REQUIREMENTS 


Assignment Reports 


The policy should reflect the following requirements for assignment reports: 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy ; PGI? 


a) the results of each audit assignment should be documented in a formal 


report; 


b) draft audit reports should be discussed with the officials responsible for 
the activities being commented upon before being finalized; a response 
should be obtained and included in the report (method of presentation 


and location at the option of the department or agency); and 

Cc) the finalization of audit reports should not be unduly delayed by the 
response process (i.e. management must endeavour to provide its responses 
in a timely manner). 

The policy should also indicate that: 

a) audit reports should be forwarded to the officials directly responsible 
for taking corrective action on the matters raised in the report and to 
their superiors; 

b) where more than one auditee or official is affected, audit reports should 
be organized in such a way as to make them separable for purposes of 


presentation to the appropriate auditee; 


c) relevant findings should be made available to the heads of respective 


functional groups; and 


d) audit reports should be forwarded to the deputy head and the audit 


committee upon request. 
Reports to Deputy Head and Audit Committee 


The policy should specify the nature of the reports which should be forwarded to 


the deputy head and audit committee. The following options should be considered: 


a) forwarding of the executive summary of each assignment report; 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy 1.1.13 


b) provision of periodic reports, tailored to deputy head and audit committee 
requirements, which summarize significant issues disclosed by audits 


since the date of the last such report; 


c) provision of periodic accountability reports of progress against planned 
audit activity which analyse deviations and identify corrective action; 
and 


d) preparation of an annual report providing the information in (b) and (c). 


In considering the above options, it is possible that all of them might be useful. 
However, the minimum requirement is that a report should be submitted, at least 
annually, to the deputy head and audit committee setting out the actual audit 
coverage compared to the annual schedule. It would include appropriate explanations 
of any significant deviations including any anticipated impact on the long range 

plan. In addition, the report should summarize the major audit findings and recom- 
mendations reported on during the year and comment on the status of corrective 
actions, as well as any other matters which should be brought to the attention of 

the deputy head. To be meaningful and informative, the report should be issued in 

a timely manner. Timeliness in this case would likely be a function of the deputy 


head or audit committee's requirements and should be included in the policy statement. 


Reporting to the audit committee is also discussed in Chapter Two (pages I.2.6 to 
12229). 


6. AUDIT RESPONSE AND FOLLOW-UP REQUIREMENTS 


The policy should require that after being provided with a draft assignment report, 
the manager responsible for taking corrective action should provide a written 
response to each recommendation within a particular timeframe. The timeframe 


will vary depending on the department but usually should be within sixty (60) days. 


Internal Audit Handbook 
Volume I, Chapter One 
The Departmental Internal Audit Policy I.1.14 


Upon receipt of the final report, the responsible manager should be required to 


provide the following: 


1) within a reasonable period of time (e.g. two months) after receipt of 
the audit report, a plan of action including target implementation dates 
and the names of officials designated responsible for correcting the 


deficiencies; and 


2) periodic progress reports or as otherwise advised by the audit committee, 


until the corrective action has been taken. 


Management is responsible and accountable for the development and implemen- 
tation of action plans resulting from internal audit activity. Action plans and asso- 
ciated progress reports should be intended for senior managers who would normally 
oversee and assume ultimate responsibility for ensuring the implementation of 
corrective actions. Internal audit's interest is in monitoring progress to address 
identified deficiencies, and to plan for and execute independent follow-up action as 
directed to do so by the audit committee. These responsibilities, as they affect 
departmental management staff and internal auditors, should be clearly stated in 


the internal audit policy. 


fi i” mS 
— =<] 
a al ee 


154 


ee 


: = 
a 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.1 


CHAPTER TWO 
THE AUDIT COMMITTEE 


1. INTRODUCTION 


Background 


In the private sector, the use of an audit committee of the board of directors to 
evaluate the accuracy, objectivity and completeness of a company's financial disclo- 
sure has become common practice. The functions of such an audit committee are 
normally related to the company's external reporting, to the work of its external 


auditors, to corporate governance and often to the work of internal auditors. 


In the Government of Canada, the role of the private sector audit committee is, to 
a large extent, fulfilled by the Public Accounts Committee of Parliament. It 
regularly reviews the Public Accounts of Canada and deals with any matters brought 
to its attention by the Auditor General which relate to governance of the federal 
public sector as a whole or specific departments. However, due to the size and 
complexity of government operations and the Auditor General's cyclical approach 

to comprehensive auditing, the Public Accounts Committee does not have many 


opportunities to deal with the governance of any one department. 


In addition, since internal audit in the Government of Canada is a departmental 
responsibility, the Public Accounts Committee is not charged with maintaining an 
ongoing relationship with internal audit groups. Rather, departmental audit 
committees have been advocated by government policy for some time, and more 
recently by the Auditor General of Canada and the Royal Commission on Financial 


Management and Accountability. 


In recognition of the role departmental audit committees can play in safeguarding 
the independence of the internal audit function and contributing to departmental 
governance and accountability, government policy as expressed in the Standards for 
Internal Audit in the Government of Canada, Standard number 5, is that "There 
should be an audit committee chaired by the deputy head, composed of executives 


whose attributes assure the provision of sound and objective counsel to the deputy 


head." 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 132-2 


Purpose of the chapter 


The Standards publication provides some guidance on the establishment of audit 
committees. Flexibility is provided to facilitate the variety of management processes 
and varying stages of maturity and acceptance of the internal audit function found 


in departments and agencies. 


It is expected that internal auditors will be requested to advise departmental 
management with regard to the audit committee. This chapter therefore, provides 
information considered useful to departments and agencies in directing the evolution 
of their audit committee towards the desired state for the environment in which it 
operates, and in improving the administrative framework for a smoothly-functioning 
audit committee. It does not replace the information contained in the Standards 
publication but rather attempts to expand on that information with regard to what 


constitutes a model audit committee. 


Scope of the chapter 


The following major topics will be dealt with in this chapter: 


® the role, objectives and responsibilities of audit committees (Section 2); 


@ the audit committee's terms of reference and working procedures 


(Section 3); and 
e committee size and membership (Section 4). 
2. ROLE, OBJECTIVES AND RESPONSIBILITIES OF AUDIT COMMITTEES 
Role 
The Standards publication defines an audit committee as, "A departmental committee 


which is normally constituted of the deputy head as chairman and executives whose 


attributes assure the provision of sound and objective counsel to the deputy head." 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.3 


The primary role of the audit committee, based on this definition, is clearly one of 
providing advice and counsel to the deputy head as opposed to the committee having 
executive authority as a body. 


Senior departmental executives, individually and in their corporate role as members 
of management committees, are responsible for the design and implementation of 
management practices and controls. These individuals are continually called upon 
to provide advice to the deputy head on the conduct of the department's operations. 
They work in an environment where time is of the essence and must respond to 
imperatives within very tight time and resource constraints. Operational or product 
requirements focussing on the important aspects of program delivery are quite 
naturally given the highest priority, often to the detriment of internal control 
considerations and central agency guidance. The government's approach to internal 
auditing, providing a strong focus on internal control, has been developed in full 


awareness of this operating reality. 


The ultimate role defined for the audit committee in this scenario is one of "honest 
broker", weighing program delivery and control considerations against each other 

and providing advice to the deputy head which strikes a proper balance between the 
two. The committee's effectiveness will be closely linked to the degree to which it 
is able to discharge this 'honest broker' role of providing an independent and objective 


second opinion to the deputy head. 
Objectives 


In describing the requirement for an audit committee chaired by the deputy head, 

the Standards specifically avoided the development of a hierarchy of objectives, 
because it was recognized that the importance of specific objectives will depend on 
the perception of the deputy head and will vary depending on a department or agency's 


circumstances. 


The Standards did, however, list five broad objectives which are thought to encompass 


all relevant matters. These are repeated below with some elaboration. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee [264 


a to aid the deputy head in fulfilling his responsibilities for the administra- 


tive performance of his organization. 


Deputy heads are responsible for planning, implementing and controlling all depart- 
mental activities. Since they are not normally directly involved in the day-to-day 

activities of their departments, they must rely on a flow of relevant information to 
determine how well the organization is doing in order to provide direction and hold 


their officials accountable. One source of such information is audit activity. 


The audit committee's assistance in analysing and interpreting information on issues 
raised by auditors, and its advice on action to be taken to deal with them, contributes 


to the deputy head's ability to make informed decisions. 
e@ to strengthen the independence of the internal audit function. 


The audit committee bolsters the independence of internal auditors by providing 
them with a forum for communication with the deputy head and his chosen advisers. 
Without this avenue of communication, the internal audit function may find it 
difficult to adhere to findings called for by their professional judgement and to 
recommend procedures that do not meet with operating management's approval. 
This should not be interpreted to mean that internal auditors cannot be independent 
in the absence of an audit committee. However, the existence of an effective 
audit committee, which can be impartial in dealings between management and the 
auditor, makes it easier for the auditor to be objective and not unduly influenced 
by management, particularly if the internal audit head reports to someone other 
than the deputy head. 


Contact with the audit committee also gives the internal auditors increased status 
and authority which assists the auditor in getting the cooperation required for the 


audit process to be successful. 


® to emphasize the accountability of managers to government, to Parliament 
and ultimately to the taxpayer for the effective control and good manage- 
ment of public money. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.5 


The committee can make a substantial contribution towards improved accountability 
through the thoughtful review and challenge of the management processes which 

are the subject of audit comments. As part of the process of reviewing audit issues, 
the committee will determine whether audit recommendations and management 
responses reflect due consideration for the need to demonstrate value for money in 
the use of government resources. Where action has not been taken, the committee 


might wish to hear from the responsible manager to ascertain the reasons for not 
doing so. 


e to support all efforts to improve management practices and controls. 


Through its role of "honest broker", the audit committee can contribute to improved 
management practices and controls by providing advice to the deputy head which 
strikes a proper balance between program delivery and control considerations. The 
objectivity of an audit committee and the experience of its members are also valuable 
to the deputy head in identifying areas of concern towards which future audit effort 


might be directed. 


In addition, the advice and support of the audit committee members may prove 
quite beneficial where issues involve elements of central agency policy and/or 
activities. In such cases, the views of outside representatives may be seen to be 


more impartial than a committee made up solely of departmental executives. 


& to provide better communication between senior management, the internal 


audit function, the Auditor General, and the central agencies. 


The underlying purposes of this objective are to promote effective resolution of 
audit issues and ensure properly coordinated and cost-effective audit effort within 


the department, regardless of the source of the audit resources involved. 


The audit committee provides a focal point for such communication based on its 


knowledge of where audit effort is being, has been or will be spent in the department. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 15226 


Responsibilities 


Given the broad objectives just defined, the Standards go on to identify the following 
major responsibilities which an audit committee may have in advising the deputy 
head: 


® reviewing the appropriateness of long-term and annual audit plans and 


the coordination with external audit groups. 


The audit committee should assess the adequacy of the internal audit coverage and 
its major thrusts prior to the deputy head approving the plan. Its primary focus 

will be on the underlying rationale that is reflected in the plan proposed by the 

head of internal audit. In this way the committee can ensure that its concerns, as 
expressed in previous audit committee meetings, and those of departmental manage- 
ment are properly addressed, and that the overall coverage will be sufficient to 
enable it to provide appropriate advice to the deputy head. It should also advise 

the deputy head on the extent of the coverage in terms of the adequacy of the 


resources assigned to the internal audit function. 


In the course of preparing audit plans, the head of internal audit may find it 
necessary to communicate with the members of the audit committee independently 


of committee meetings to ensure that their concerns are properly reflected. 


Audit committees should also review the coverage proposed by the external auditors 
and the way in which it interrelates with departmental audit effort to ensure proper 
coordination of audit effort, to minimize disruption of departmental operations and 


to reduce the direct cost of audit. 


€ discussing major audit reports and findings and identifying how findings 


in one area may relate to other areas. 


® considering issues raised by the Auditor General and the central agencies. 
® monitoring the corrective or preventative action taken on major audit 


findings. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.7 


The committee's most time consuming responsibility by far will be its consideration 
of major assessments of departmental activity provided by internal and external 
auditors. It is in this aspect of its work that the synergy of the group has the 
greatest potential for assistance to the deputy head. It will be dealing with the 
highest level review issues and overall assessments that can be provided on the 


department's internal control framework and its operation. 


Audit reporting normally includes management's response to the audit. In addition 
to assessing the adequacy of these responses, the committee members should also 
be concerned with providing any insights they may have which would assist manage- 


ment in developing or improving on an action plan to correct the deficiencies. 


Given that the committee should rarely be addressing issues that are not of concern 
to the top and second levels of management, and that the meeting time of the 
committee will likely be measured in hours, not days, the head of internal audit can 
provide significant assistance to the committee by judiciously summarizing the 
audit activities and results into a form more meaningful and manageable for the 
committee's review. The nature of such summaries will depend largely on the 
interests of the committee; they could be organized by issue, organizational 
component, policy, function and perhaps in other ways. One should expect a fair 
amount of trial and error as the committee strives for a mode of operation which is 


most productive. 


To improve the likelihood of reports being addressed at a level of most interest to 
the deputy, and thus to the committee, the committee may wish to approve an 
overall reporting strategy that would be used as the framework for developing the 
audit plans each year. By planning in this way, audit reports that are outputs from 
the lowest level audit assignments should be capable of summarization to each 

level of management in the hierarchy, culminating with the deputy head and the 
audit committee. Approaching the audit report in this way can save the audit 
committee valuable time in its deliberations. It is recognized though, that other 
wide-ranging issues may be identified by the head of internal audit or the committee 
which will require modification of the reporting scheme during the planning year. 


Such issues can be dealt with on a meeting-by-meeting basis over the course of the 


year. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee LZ.5 


Under the committee operation envisaged here, the head of internal audit would be 
expected to provide regular accountability reporting of actual progress against an 
approved plan, as well as issue oriented reporting based on the expectations the 
committee had from the prior approval of the audit plan. With this level of reporting 
to the deputy head, the significance of annual reports is greatly reduced. Therefore, 
the deputy head and the committee may wish to provide direction to the head of 
internal audit on the requirements for a formal internal audit report for external 

use, after considering the needs of other potential users such as the Public Accounts 


Committee, the Auditor General and central agencies. 


Part of the committee's workload will be dealing with reports of external auditors, 
ideally using a process similar to that used for internal audit reports. In the interests 
of effective committee operation, the head of internal audit should attempt to 
ensure that these groups communicate with the committee in a manner similar to 


that established for the internal audit function. 


Having dealt with the audit reports, the committee should be advised when an action 
plan they had seen and assumed would be implemented does not, in fact, proceed as 
expected. Their interest is not in tasking but rather in their "need to know" the 
status of the departmental operating environment in order to assess the reasonable- 
ness of issues being addressed in the audit plan, and to weigh recommendations and 


action plans which result from audit activity. 


Once an action plan is approved by senior management, the onus is on the line manager 
to ensure that action is taken. There remains for the internal auditor the 
responsibility to assess whether appropriate management follow-up action has been 
taken on audit recommendations (including those of external auditors) and to report 

on the progress against plans. Through these reports the internal auditor plays a 

major role in ensuring the committee's ability to assess management's long-term 
response to recommendations. 


The committee will also wish to determine whether or not departmental management 
or other personnel gave full cooperation to the auditors. In this way, the committee 
can satisfy itself that no barriers were put in the way of the auditing process and 


the corresponding results. This point will also be of interest to them in fulfilling 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.9 


their responsibilities, as discussed on the next page, related to the internal audit 
function's independence and its evaluation. 


It should also be remembered that the head of internal audit must ensure that 
matters of particular sensitivity or urgency are brought to the attention of the 
deputy head without delay. The deputy head may then decide whether to refer 


these matters to his or her audit committee as soon as they are detected or at the 
next scheduled meeting. 


Normally an audit committee would also have the following responsibilities: 
® maximizing internal audit independence 


This is one of the overriding responsibilities of an audit committee, and of particular 
interest to others, such as central agency policy groups and the Auditor General, 
who are placing reliance on internal audit group assessments with regards to their 
own interests in the departments. The committee may periodically review the 
organizational status of the internal audit function to ensure that the head of 
internal audit has direct access to the deputy head and the committee. This respon- 
sibility is particularly important where the internal audit function might not have a 


direct reporting relationship to the deputy head. 
® evaluating the internal audit function 


The audit committee may periodically assist or advise the deputy head in evaluating 


the performance of the internal audit function and perhaps its senior staff. 


This would normally consist of their judgement of the internal audit function's 


utility based on an assessment of: 


° the plans and reports presented to it by internal audit and the meaningful 
changes in management practices and controls resulting from internal 


audit activity; 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 2210 


@ the manner in which internal audit personnel dealt with the audit 


committee and departmental management and other personne]; 


@ consideration of reports on the quality of the internal audit function 
prepared by the Office of the Auditor General and the Office of the 


Comptroller General; and 


® an awareness of the perceptions of the internal audit function held by 
departmental management, including the degree of cooperation received 


by the internal audit function in performing its audits. 


As was the case with the audit committee's objectives, specific responsibilities will 
vary depending on a department or agency's circumstances. The preceeding discussion 
was provided to assist departments and agencies in formulating committee respon- 


sibilities most suitable to their own situation. 


3. THE AUDIT COMMITTEE'S TERMS OF REFERENCE AND WORKING 
PROCEDURES 


Terms of reference 


The use of formal terms of reference which describe the committee's role, objectives, 


responsibilities and authority is especially desirable for the audit committee because: 


e they are instrumental in clearly establishing the roles and relationships 
of the key parties, (i.e. the audit committee, management, internal 
auditors and external auditors) involved in the performance and monitoring 


of the department's management practices and controls; 


e they give the committee a solid basis for exercising its influence; and, 


8 they are another sign to outsiders (i.e. the general public, Parliament 
and central agencies) that the deputy head is playing an active and 
responsible role in ensuring that the department's management practices 
and controls are under continuous examination and that needed improve- 


ments are being made. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.11 


The ultimate responsibility for approving and promulgating the audit committee's 
terms of reference belongs to the deputy head. However, the head of the internal 


audit function would likely be allowed or expected to play a large part in their 
development. 


In addition to the Committee's role, objectives and responsibilities discussed in 


subsection 2, terms of reference would normally address the following topics: 


authority 

frequency of meetings 
meeting agenda 
minutes of meetings 
who attends meetings 
committee secretary 


special assistance, and 


reporting requirements. 
Authority 


Particular attention should be paid to ensuring that management's and the audit 
committee's authority are clearly delineated. The terms of reference should clearly 
show that only departmental management has the authority to implement changes 
in management practices and controls. The audit committee's authority is normally 
restricted to that required to enable it to conduct its business (i.e. acquiring 
sufficient information to enable it to properly analyse the audit issues before it and 


provide advice to the deputy head). 

Frequency of meetings 

The actual number of audit committee meetings held each year will vary with the 
department's size, complexity, state of operations, the corresponding level of audit 


activity and the responsibilities of the committee. 


The committee meetings may be regularly scheduled or they may be called on an 


ad hoc basis. There is a certain desirable discipline imposed by a schedule of 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee E2512 


meetings, a discipline that would likely work to the advantage of the internal audit 
function by ensuring that audit matters would not have a tendency to be deferred 

in favour of other management priorities. It is therefore probably most desirable 

to schedule a minimum number of meetings annually, based on an anticipated normal 


workload. 


It is possible that one meeting each year will suffice for smaller departments 

or agencies. Where the department and the corresponding audit effort is small 

(e.g. the Auditor General's attest audit which is normally completed in July or 

August and one internal audit contracted out every 3 to 5 years), the audit committee 
may be able to review both the audit plans of the various auditors and the results 


of audits in one meeting. 
Meeting agenda 


To the extent that meeting schedules are set in advance, it may be desirable to 
predetermine agenda items for each meeting, particularly since much of the audit 
activity is forecasted in plans. The level of agenda detail that can be provided in 
advance will be proportional to the degree to which the audit plans can be 


synchronized with the audit committee's report review process. 


The written agenda, besides ensuring more effective use of committee time, can 
serve as evidence that the committee was thorough and timely in carrying out its 


responsibilities and that matters discussed were in keeping with its role. 


Minutes of meetings 


The minutes of audit committee meetings can range from a verbatim transcript of 
everything that happens at the meetings to simply highlights or major recommenda- 
tions of the committee members. 


Although the exact form and content of minutes are a matter of departmental 
preference, minutes containing less information than attendance, issues raised, 
information received and subjects discussed, along with the conclusions of the 


committee and its recommendations to the deputy head are not likely to properly 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.13 


document the committee's deliberations, the results of its efforts to deal with 

issues before it and its conclusions. Well documented minutes serve as evidence of 
the committee's activity and conclusions for those groups external to the department 
who wish to know if they can place reliance on the department's management 
Processes. In the absence of formal minutes, the requirement for personal interviews 


with committee members may be unnecessarily excessive and create an overburden 
on them. 


Who attends meetings 


In addition to auditors, internal and external, anyone who can provide information 
to the committee in order to assist it in its assessment of the issues before it, could 


be invited to attend audit committee meetings. 


Departmental managers should be invited to attend meetings during discussion of 
any items on the agenda for which they are responsible to allow the committee to 


evaluate their responses and underlying rationale for proposed corrective action. 


It is considered important that the committee reserve the right to meet with these 
people or groups alone so that matters can be discussed candidly and that sensitive 


issues can be broached in an atmosphere of confidentiality. 


It may also be necessary to request senior officials from central agencies such as 
the Public Service Commission, the Treasury Board Secretariat and the Office of 
the Comptroller General, to attend audit committee meetings to clarify policy 


direction and provide advice on management or audit issues. 


Committee secretary 


The predominant practice in the Government of Canada is to have the head of 
internal audit serve as the committee secretary. This has been particularly desirable 
to ensure that the internal auditor attends all committee meetings and is in a position 
to act as an adviser and provide staff support to the committee. However, a 


committee member or another departmental official may be appointed secretary. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee h2ei4 


Besides keeping minutes of meetings and also handling committee correspondence, 
the secretary, whether or not a committee member, can be influential in committee 
matters. He or she works closely with the committee chairperson and will likely be 
one of the people who has a say in drawing up the agenda. In addition, the secretary 
should provide research assistance by organizing material to make it as useful to 
the committee as possible, help formulate lines of inquiry and follow up on adminis- 


trative matters. 


Special assistance 


Audit committees may require other assistance in carrying out their responsibilities. 
This assistance can take varying forms including a budget to engage outside experts 
where the committee feels independent advice is necessary to interpret or further 
investigate audit issues and to explain methods used to acquire or analyse data. 

The head of internal audit should, however, be in a position to provide most of the 


technical assistance required. 


Reporting requirements 


Given that the audit committee is an advisory committee to the deputy, it must 


ensure that he or she receives its advice. 


As mentioned earlier, the minutes should be prepared promptly to ensure timely 
reporting to the deputy and provide evidence of the advice provided, should the 
deputy head require it in dealing with outsiders. The deputy head may in turn provide 
copies of the minutes to senior executives or a management committee to assist 
them in improving action plans in cases where audit committee members have 


provided advice on their implementation. 


Since the audit committee is overlayed on an existing management process, one 
which likely includes a management committee mechanism for tasking and monitoring 
projects, care is required by the audit committee secretary to ensure that the results 
of management committee activities which deal with audit are communicated to 

the audit committee. This is normally accomplished by regular contact between 


the secretaries of the two committees. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.15 


4, | COMMITTEE SIZE AND MEMBERSHIP 
Qualifications for membership on an audit committee 


The following excerpt from the Standards for Internal Audit in the Government of 


Canada describes the overall attributes for audit committee membership: 


"To meet their responsibilities, audit committee members must possess an 
understanding of the department's or agency's mandate, its operations, its 
internal audit, its accounting and financial controls, the accounting and 
financial reporting principles of the federal government, and the overall 
government policies and environment within which departments and agencies 


operate. 


The most important attributes which an audit committee member must have 
are broad experience, open-mindedness and good judgment. An audit committee 
member must also have the personal independence of spirit to ask the questions 
that need to be asked, whatever his or her professional background may be. 

In addition, the audit committee member must be prepared to make reasonable 


commitments of time and accept important responsibilities." 


In effect, the audit committee members collectively should provide a balance 


between knowledge of department and government operations and objectivity. 


The basic grasp of departmental activities, such as might be expected of a person 
serving on a corporate board of directors, is normally enough to enable a member 
to contribute effectively as an audit committee member. On the other hand, every 
committee should have in its membership some solid expertise in government 
operations and particularly departmental operations. One person who has a solid 


governmental and departmental background may be enough. 


More valuable than knowledge and experience are the personal qualities of the 
members. The expected attitude would be an insistence on finding out what the 
facts are rather than relying passively on information as it is presented by the 


auditors or by management representatives. A committee member must also be 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.16 


prepared to take issue with the auditor or management if he or she believes that a 


proposal will not be in the best overall interests of the department, the government 
as a whole or the general public. 


The chairperson 


It is only natural that a deputy head should chair his or her own advisory committee. 
This creates the ideal situation as the deputy head is then in direct control of the 
quality and quantity of advice received. This in turn increases the probability of a 
smoothly functioning committee by eliminating speculation as to the wants and 


needs of the deputy head. 


Alternatively, where a department or agency has a senior executive (such as an 
associate deputy minister, senior assistant deputy minister or vice-chairperson), 
the deputy head might appoint such an individual as chairperson of the audit 
committee. Such individuals would normally directly assist the deputy head in the 
management of the department as a whole and could therefore be expected to 
provide the same perspective of the department or agency as would be expected of 
the deputy head. They should therefore, through periodic consultation and 
feedback from the deputy head, be in a position to guide the audit committee 


towards the quality and quantity of advice required by the deputy head. 


To provide for situations where the chairperson is unable to participate in an audit 
committee meeting, the deputy head should select a vice-chairperson when he or 
she establishes the committee or changes its membership. Alternatively, he or she 
may choose a method of selection such as the committee members choosing their 


own vice-chairperson. 


Departmental expertise 


As mentioned earlier, every committee should have at least one person as a 
member who has a solid governmental and departmental background. In practice, 
it will likely be necessary to have two members who provide such expertise: one 
providing program knowledge, the other providing knowledge of administrative 


policies and practices. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.17 


The involvement of departmental managers on the committee is almost certain to 
increase the effectiveness of the committee by helping it gain the full cooperation, 
involvement and support of management. Such involvement might also reduce 


possible misunderstanding and conflicts between management, committee members 
and the auditors. 


Departmental representatives would be expected to provide the expertise required 
regarding the department's or agency's mandate, its operations, its management 
practices and controls, the accounting and financial reporting principles of the 


federal government and the overall government policies and environment. 


Bearing in mind the pace of change in the financial, administrative, regulatory and 
even legislative arenas in recent years, it would not be realistic to expect audit 
committee members to be true experts in all these areas. Rather, the audit committee 
would be expected to call upon other departmental managers and representatives 

of central agencies to provide information and advice during the course of its 


deliberations. 


Departmental representatives will make a significant contribution to the soundness 
of advice provided to the deputy, based on their knowledge of the environment in 
which the department or agency operates. However, the very strength that enables 
them to be strong contributors to committee deliberations, namely their insiders' 
view of departmental operations, often poses difficulties for them in trying to 
extract themselves from a situation so as to look at it more objectively. The 
difficulty is to have departmental managers who are far enough removed from the 
day-to-day operating decisions to make committee objectivity goals achievable, 
while still ensuring the individuals can provide the necessary expertise of the 


departmental operations. 


Outside representation 


Should the deputy head wish to have even greater objectivity, this might be 
accomplished by appointing an outside representative (i.e. an individual who is not 


an employee of the department or agency). 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee R2Zst3 


Government representation 


A representative from another government department or agency might not be 
totally familiar with departmental activities, but his or her knowledge of the overall 
government policies and environment and experience within his or her department 
could contribute to the soundness of advice while increasing the objectivity of such 


advice. 


Such representatives would normally be senior managers having considerable adminis- 
trative responsibilities (e.g. ADM Finance and Administration or Departmental 
Comptroller) so that they might bring to the committee the greatest breadth of 
knowledge and experience in the area of government-wide policies. Where the 

deputy head feels that the committee already possesses sufficient technical knowledge, 
a fellow deputy head possessing overall knowledge of policies and a thorough knowledge 


of the environment may be requested to become a committee member. 


External representation 


Senior executives from the private sector could be expected to provide additional 
benefits to the deputy head in terms of relating private sector experiences as well 
as providing a visibly impartial and objective viewpoint. The clearly impartial 
review provided by external representatives (those external to the government) 
should increase the confidence that groups external to the department (such as the 
general public, parliamentarians and central agencies) have in the departmental 
administration. Where the views of the department and a central agency differ, 


the department could benefit from an external representative's unbiased viewpoint. 


The Standards state that "Direction on the introduction of private sector represen- 
tation into departmental audit committees will await the results of selected trials 
and the formalization of guidance on the selection and appointment of candidates." 
Since the trials have not yet been conducted, this guidance is not available. Depart- 
ments and agencies are encouraged to recruit external representatives on their 

own. The Internal Audit and Special Studies Division of the Office of the Comptroller 


General is prepared to respond to any requests for advice on such appointments. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 1.2.19 


Term of appointment and rotation of members 


The following reasons have been offered for rotating audit committee members on 
a regular basis: 


® it spreads the burden of time involved in serving on the committee; 


® it ensures that fresh thinking will be introduced periodically, so that 


new questions will be asked and new issues will be raised; 


® it fosters objectivity of the committee whose members may in time 
identify with particular management personnel or problems, or with 


policies endorsed or even initiated by the committee; 


a service on a departmental audit committee is a valuable experience for 
departmental and outside representatives alike; a regular rotation policy 


gives more people a chance to benefit from this experience; and 


® with regard to external representatives, more private sector executives 
will have an appreciation of the problems associated with running a 


government department or agency. 


Rotation should not however be taken to mean a completely new committee every 
year. Rather, one or two members might be brought into the committee each year 


to replace members who are stepping down. 


Due to the complexities associated with audit committee membership, a minimum 
two-year appointment would be highly desirable. To provide some flexibility with 
regard to appointments of external representatives, contracts may be made for a 
one-year period subject to renewal. This would allow for a change in external 
representation should the need arise due to a change in deputy heads, due to an 
unforeseen change in audit committee requirements arising out of major 
departmental or governmental reorganizations, or due to requirements on the 
external representative's time which had not been foreseen at the time of 
appointment. However, a consideration in the appointment of an external 


representative would be an expressed willingness to serve for at least a two-year 


period. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 12220 


Ideal audit committee 


There is no ideal audit committee which will suit the requirements of every department 
or agency. The following models are therefore presented to aid departments in 
establishing the composition of a committee best suited to their particular circum- 


stances. 


Three models are provided which would likely be appropriate to all large or medium 
size departments or agencies, depending on their suitability. Although they are 
based on the chairperson and five members, the actual size of the committee may 
vary depending on the needs of individual departments and agencies and the 


attributes of the individual audit committee members. 


In smaller departments and agencies, the cost effectiveness of the committee 
should be considered. It is unlikely, when audit activity is restricted to the Auditor 
General's annual attest audit and a periodic internal audit performed on a contract 
basis every 3 to 5 years, that a private sector representative and possibly even a 
representative from another department would be desirable. The effort required of 
such members to acquire knowledge of departmental operations and administrative 
practices might be disproportional to their contribution. Audit committees 
consisting of the management committee or some of its members would likely be 


adequate in such situations. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 


Suitability 


TYPE A AUDIT COMMITTEE 


12521 


This type of committee would likely be suitable for departments or agencies with 


no board, commission or advisory committee, etc., and with no restrictions on its 


memberships for security or other reasons. 


Composition 


MEMBER 


1. Chairperson 


2. and 3. 
Departmental 
representatives 
(program) 


4, Outside representative 
- governmental 


CANDIDATE 


Deputy head 


ADM (or equivalent) of a 
program or group of 
programs 


Senior executive of another 
department or agency who has 
responsibility for the 
administrative policies and 
procedures within his or her 
department. 


CONTRIBUTIONS 


Clear definition of the 
quality and quantity of 
advice needed. 

Good understanding of 
the department and of 
the government. 


Expertise in the depart- 
ment's operations. 
Understanding of the 
department and government. 
Objectivity towards 
department's adminis- 
trative policies and 
procedures. 


Expertise in administrative 
policies and procedures 
within the government. 
Experience in dealing 

with problems within his 

or her department. 

Impartial viewpoint with 
regards to the department's 
operations and administration 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 


MEMBER 


5. External 
representative 
(1 member) 


6. External 
representative 
(2 members) 


Total membership: 6 


CANDIDATE 


Senior executive of a private 
sector corporation with 
responsibility for operations 
in an organization similar to 
those of the department or 
agency. 


Senior executive of a private 
sector corporation with 
responsibility for adminis- 
trative policies and 
procedures of his or her 
corporation. 


(1 member as described in either 4. or 5.) 


[i222 


CONTRIBUTIONS 


e Extensive management 
experience in an organi- 
zation similar to those 
of the department. 

e A clearly impartial 
viewpoint with regards 
to operations and admin- 
istrative policies and 
procedures of the depart- 
ment and the government. 


e Extensive management 
experience with regards 
to the administration 
of a large corporation. 

e A clearly impartial 
viewpoint with regards 
to operations and admin- 
istrative policies and 
procedures of the 
department and the 
government. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 


TYPE B AUDIT COMMITTEE 


Suitability 


[52.23 


This type of committee would be suitable for departments or agencies with a board, 


commission or advisory committee, etc., regardless of whether or not there are 


restrictions on membership for security or other reasons. 


Composition 
MEMBER CANDIDATE CONTRIBUTIONS 
1. Chairperson 
2. anges; 
Departmental The details for these first four members are identical 
representatives to those for the Type A Audit Committee. 
(program) 


(2 members) 


4, Outside representative 
-governmental 
(1 member) 


5. and 6. 
External Member of the board from 
representatives outside the federal government 
(2 members) with broad managerial 


experience. 


Total membership: 6 


Familiarity with depart- 
mental programs. 
Understanding of the 
government. 

Interest in the soundness 
of the administrative 
processes supporting 
decisions of the board, 
etc. 

Experience in dealing with 
problems based on his or her 
management experience. 
Impartial viewpoint on 
administrative policies 
and procedures of the 
department and the 
government. 


Internal Audit Handbook 
Volume I, Chapter Two 
The Audit Committee 122624 


TYPE C AUDIT COMMITTEE 
Suitability 
This type of committee would be suitable where there are restrictions on membership 
for security or other reasons and there is no board, commission or advisory committee, 
etc., from which to draw members. 


Composition 


MEMBER CANDIDATE CONTRIBUTIONS 


1. Chairperson 


2.-and.3. 
Departmental The details for these first four members are identical 
representatives to those for the Type A Audit Committee. 
(program) 


(2 members) 


4, Outside 
representative 
- governmental 
(1 member) 


5. and 6. 
Additional outside Deputy head of other @ Overall knowledge of 
representatives department or agency administrative policies 
-governmental and procedures of the 
(2 members) government. 

e In-depth knowledge of 
government environment. 

e Experience managing his 
or her department 
(including dealing with 
audit committee). 

e Impartial viewpoint with 
regards to department's 
operations and 
administration. 


Total membership: 6 


; wi he? ary Th ; a , hs on ia 
: nm iF , i" ‘i y 
ri bal Gin os Bb) 


bes my - Hin sili i an | fie ey ee hi 4/9 


ey peat io Wamaaiienivial (aw. 
ea a hale iy 
weit A MY") pam io ae 
7 , a : i . . ie rm ‘ ; 7 nT 
abe, ri Wy. 
ry Sc i, WR Ng 
4 La ‘ bbe ® 7 af ae ah a ’ ' \ : 
UT, 7 A 
ef Cikh 4,0 Mi ena! a 
Ripe hae NS Pia 
\* es iy : f f 
{ IF ' 1 ; iV 7 
- os y I : a) ove “4 why aii 
i vA i fi va ! 1 ( rh ; 
ena ee eae ei ) ere Ne 
Lerigiecs; Umer: ; “in 
er ite 


or Tien | S ’ 


| abet Nien ! Ain 


iii 


oy, 
i 4 1 hear 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.1 


CHAPTER THREE 


DEVELOPMENT OF INTERNAL AUDIT PLANS 


1. OVERVIEW 


Planning, whether strategic or operational, whether long term or short term, is as 
relevant for internal audit as it is for any other activity. Also, as with all activities 
that have department-wide, functional implications, even though their resources 
may be confined to a discreet responsibility centre there is a requirement to do 
function as well as responsibility centre planning. The flow of planning for internal 


audit is depicted in Figure Il. 


Function oriented planning, dealt with in this chapter, is department-wide in scope 
and is strategic and long-term operational in nature. Responsibility centre planning 
concentrates more on long-term infrastructural and annual plans and resources 
which will be dealt with in Chapter Four. Assignment planning will be introduced 
in Chapter Four and discussed in more detail in Chapter 1, Book | of Volume II, 


which deals with the audit assignment process. 


To the degree that the Standards provide guidance as to how internal auditing should 
be planned for, the relevant standards should be incorporated in the planning process 
employed. The Standards that are considered the most applicable at this stage are 
Standards No. 2, 3, 12 and 13. 


Since the internal audit group is typically a responsibility centre (RC) like any 
other responsibility centre, its planning process should conform to PEMS (Policy & 
Expenditure Management System), to the degree implemented in the host department 


or agency, and to internal departmental or agency planning guidelines. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 


Internal Audit Planning 


Planning Process 


Develop 
Strategic 
Information Plan 
From Internal 
Operations 


Develop 
Long-Term 
Operational Plan 


Develop Long-Term 
Infrastructural! Plans 


Develop 
Annual 
Schedule 


Develop 
Budget & Human 
Resource Plan 


Develop Audit 
Assignment Plans 


Carry out Assignments 


Figure | 


1.3.2 


Information 
From the 
Environment 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.3 


In what follows, an hierarchical framework based on two principles will be employed 


to describe the planning process: 


® The first principle recognizes that, in any endeavor, one must decide 


what is to be done and why before deciding how to do it. 


8 The second principle is that the what of a subordinate level of the 
planning process (e.g. Long-Term Planning Objectives) incorporates the 
how, to the degree defined, of the next higher level (e.g. Strategic Plan). 
This logic parallels that applicable to the respective managers of successive 


levels of an organizational hierarchy. 


Taking into account that the internal audit function is an instrument of the deputy 
head, it follows that the first event of the internal audit planning process should be 
the enumeration and ranking of the concerns that senior management wants dealt 
with. 


A parallel activity to be undertaken is the enumeration and/or updating and refine- 
ment of the audit universe. The audit universe should include all potentially auditable 


units without regard for manageability, reportability or priority. 


The raw data, obtained in the two parallel processes outlined above, may then be 
used to group elements of the audit universe into manageable audit units. As well, 
it may be necessary to develop a strategy for reporting on management concerns 
for those cases where the reports on manageable audit units will not adequately 


inform management on those concerns. 


The important concept here is that there is not necessarily a one-to-one relationship 


between reporting requirements and manageable audit units (audit assignments). 


Some issues have more impact (i.e. significance to management) when combined, 
others are more conveniently reported on as a derivative result of an audit of some 
other issue, while still others are not realizable within the timeframe of one audit 


assignment or even a series of assignments within an annual schedule and must, 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.4 


therefore, be reported in two or more successive steps, including interim and 
aggregate, final versions. For example, in some cases a management concern will 
be better reported on by selectively summarizing or aggregating the results of 


several audit assignments into reporting units. 


Finally manageable audit units are ranked as to importance, based on potential risk 
criteria, sized for macro resource requirements and consolidated into long-term 


plans, an annual schedule and associated resource plans. 
2. DEVELOPMENT OF THE STRATEGIC PLAN 
Introduction 


Strategic plans provide the framework which allows an organization to adapt to 
changing circumstances. As a process, formulating strategy involves the following 


activities: 


1) generating an adequate understanding of the organization as it currently 


exists; 


2) scanning the organization's environment to identify issues and trends 
which could have an impact on operations (i.e. problems, opportunities, 


constraints); 


3) developing a statement of where management wants the organization to 
be at some future point in time through the identification of objectives 


and goals; 


4) analyzing the differences between where the organization should be in 


the future and where it is now; and 


5) developing strategic plans which provide an approach to reaching 


objectives from the current position. 


The intent of this chapter is to concentrate on the practical aspect of internal 


audit planning. Therefore, an expanded view will not be provided for each of the 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.5 


activities noted above. This section will review only those aspects of strategic 
planning which give rise to problems, opportunities or constraints which have particular 
meaning for internal auditors. In this regard, two items have been isolated for 

review. First, the importance of identifying management concerns is reviewed. 


Second, reporting on management concerns is dealt with. 
Importance of Identifying Management Concerns 


The starting point for strategic planning is identification of strategic problems, 
opportunities and constraints, or generally, management's strategic concerns. There 
are three major ways in which management's concerns may impinge on the internal 


audit function: 


(a) The first is where a management concern translates into an audit issue 
to be reported on directly through audit reports from one or more audit 


assignments; 


(b) The second is where management's concern is such that it affects the 
emphasis placed on specific aspects of audit coverage or scope in some 
or all audit assignments (e.g. productivity improvement, communications, 


service orientation); and 


(c) The third is where management's concern affects the infrastructure of 


the internal audit function. 


Type (a) concerns will be our main target in this chapter. Type (b) concerns 
will be absorbed in the assignment planning process. Type (c) concerns are part 
of the internal audit responsibility centre planning process and will be dealt with in 


Chapter Four. 


Although type (b) concerns are being relegated to the assignment planning process, 

it is recognized that there are two ways in which such a concern can be dealt with. 
One is to reflect it in some or all audit assignments, as implied in the definition 
provided; the other is to convert it to an audit issue to be dealt with in a combination 


of one or more audit assignments. In the latter case it becomes a type (a) concern. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans [3.6 


Which treatment a management concern gets depends on the relative urgency of 
the concern and on management's, and/or the audit group's preference as to method- 


ology for dealing with it. 


Senior managers need data or information to identify the need for decisions, and 
further data or information on which to base those decisions. In those cases where 
senior managers have insufficient information, they depend upon various sources, 
one of which is the internal audit function. Concerns then, are often identified in 
terms of the managers' decision-making process requirements, rather than in terms 
convenient for structuring manageable audit units (i.e. audit assignments). Conse- 
quently, management concerns must be translated into reporting requirements. 
Reporting requirements must then be translated into audit issues in order to be 
distributed to audit assignments. Also, since managers have many potential sources 
of information, and internal audit is not necessarily the most obvious one, it is only 
by a combination of reactive and proactive effort on the part of internal audit that 


all such information needs may be identified. 


Concerns, as expressed by managers, generally translate into one of two classes of 
audit issue (sometimes both): those that are substantive in nature (i.e. goals, results 
or content oriented) and those representing systemic (i.e. structure or process 
oriented) concerns. In simple terms, substantive issues generally have to do with 
what is being done and systemic issues with how it is being done. As an example, 
the achievement of a specific level of service to the public is a substantive concern 


while the efficiency of the production system or process that led to its achievement 


is a systemic issue. 


Figure 2 illustrates two levels of either systemic or substantive issue. The columns 
represent programs, where substantive concerns predominate, while the rows 


represent functional activities, where systemic concerns are the focus of attention. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.7 


Function 
a UU 


Function 
“BY! 


Function 
CH a4 


Function 
UL @ Jel 


AUDIT UNIVERSE MATRIX 


Organization 


Unit Unit Unit Unit 
No. 1 No. 2 No. 3 No. 4 


Department- 
Wide 
Issues 


Note: 


“Units’’ = A program or oth 
Local Issues responsibility Cer 


Figure 2 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 13.5 


Audit issues then, as a representation of management's concerns, are introduced at 
this point for two main reasons. Although it is recognized that the majority of 
really urgent concerns will not surface with sufficient lead time to be included 
formally in strategic or long-term plans, there are some that will and they should 
be captured and absorbed in operational plans with as much lead time as possible. 
Secondly, there are rnany management concerns which are more or less ongoing. 
For example, it is hard to envisage long-term internal audit plans not reflecting a 
continuing, and frequent concern for financial and personnel resources, since they 
pervade the whole organization and represent the major resource concerns of 
management. Similarly on-going concern, on the part of senior management, is 
likely to be shown for key program areas, regardless of their perceived state of 


health or performance at any particular point in time. 


The following are examples of sources of management's concerns. 


Ls Individual Managers (Interviews) 6. External Audit reports 
2 Management Information System 7. Central Agency review reports 
reports 
8. Program Evaluation reports 


2D. Strategic Overviews, MYOPs, 
Estimates, especially Part III's, oF Audit Committee 
and other available plans 
10. Departmental Management 
4, Management Services'/ Committee reports or minutes 
consultants’ reports 
11. Parliamentary Committee 
5. Internal Audit reports proceedings, and parliamentary 


debate in general 


The identification of managerial concerns prior to development of long-term and/or 


annual plans has several advantages: 
For management it: 


1. Maximizes congruence between departmental/agency objectives and 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.9 


ee Taps a valuable additional source of information for decision-making; 
oh Improves the probability of timely information; and 


4, Improves the probability that the department/agency will have a cost 


effective internal audit function. 


For the Internal Audit Group it: 
1, Aligns internal audit services with the needs of its clients thus improving 


its relevance and credibility; 


2 Provides the maximum lead time for arranging audit assignments, in 


terms of content and timing, for optimal reporting impact; and 


SF Allows the internal audit group to deploy its resources in the most cost 


effective manner. 
From the foregoing the following premises for good planning may be derived: 


® Internal audit should maintain sufficient on-going communication with 
senior management to identify urgent management concerns and include 


them in audit plans with as much lead time as possible. 


e On-going management concerns should be included in internal audit 
plans, regardless of the perceived state of health or performance of the 
object of those concerns at any particular point in time. 


Reporting on Management Concerns 


As described previously, concerns, as expressed by management, are not always 


conveniently packaged for reporting and/or auditing in terms of audit assignments. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans Lag5L0 


The concerns expressed may be too narrow in scope to be addressed from the frame- 
work of anormal audit assignment. In this case the audit group has two choices. It 
can combine them with other audit issues for purposes of efficient auditing, or if 
they are sufficiently material and/or urgent on their own, they may be converted 

to an audit issue or issues which are dealt with by scheduling a Special Audit. On 
the other hand, the resultant audit issue may be too big for one audit assignment. 

In this case the issue may be replicated in several audit assignments with appropriate 
roll-up of assignment report findings for presentation to management. It may also 
be distributed over several time periods (years), in which case serious consideration 
should be given to interim reporting as well as a roll-up. In any case, an audit which 
deals with a management concern or concerns will be referred to as a Reporting 
Audit Unit, and will represent the results of audit effort expended in one or more 


audit assignments. 


Therefore, provision in the internal audit planning process for reports other than, 
or in addition to, the traditional audit assignment reports is desirable, and in fact is 
being encouraged in order to improve the relevance of the internal audit function, 
as viewed by senior management. This suggested approach is an extrapolation from 
Standard 21 which reads: "A report shall be submitted to the deputy head at least 
annually on audit coverage, major findings, significant unresolved recommendations 
and any other matters requiring the deputy head's attention." (Underlining added 


for emphasis.) 
3. DEVELOPMENT OF A LONG-TERM OPERATIONS PLAN 
Introduction 


As displayed in Figure 3, the long-term planning process consists of identification 
of the audit universe; combining the output of that activity with the output of the 
strategic planning process, and, based on significance criteria, reporting strategy 
and audit assignment strategy, developing a combination of manageable audit units 
(MAU's) and reporting audit units (RAU's) which meet the requirements of both 


senior management and the internal audit group. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.11 


Internal Audit 


Long-Term Operational Planning Process 


Develop 


Strategic 
Plan 


Identify the 


Audit Universe 


Develop 


Develop 


Develop 
Manageable Audit 
Units (MAU's) 


Significance (s) 


Criteria 


Develop Audit Develop Develop 


Risk 


Criteria 


Frequency Table 
for RAU's/ 
MAU's 


Relationship and 
Order Tables 
for RAU's/MAU's 


Develop Develop 


Broad 
Statements 
of Audit 


Scope and 


Macro- 


Level 


Resource i Seer) ong-Term Pla 


Document the 


Plan 


Objectives 


Legend To Annual Schedule 
MAU = Manageable Audit Unit 


RAU = Reporting Audit Unit 
Figure 3 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans a Sak2 


These manageable audit units are then arranged in a frequency table, based on 
their significance to management, ranked according to their perceived risk, and 
finally documented in an inclusive, long-term plan. This process is cycled between 
the internal audit group and senior management or the audit committee until there 
is agreement on significance/frequency for audit, and relative risk/order, then 


approved for implementation. 
Identifying the Audit Universe 


In principle, all organizational units which together comprise the total responsibility, 
for which the deputy head is accountable to his/her minister, are subject to audit. 

If they were all audited, they would represent total coverage of the audit universe, 
e.g. if all responsibility centres (RCs') were audited they would represent total 
coverage. Alternatively, all planning elements of the Operational Plan Framework 
(OPF) could be subjected to audit, thus providing equivalent coverage. Which is 
chosen as the basis for definition of the internal audit universe is not crucial as, 


ultimately, the two frameworks parallel each other and, in the ideal case, coincide. 


Coverage of the audit universe need not include all RCs' or planning elements 
explicitly. An individual RC may simply not be sufficiently significant to management 
to warrant individual attention, (criteria for "significance" will be dealt with later). 
Alternatively, a large RC may not be convenient to audit within the framework of 

an audit assignment (i.e. it may not be manageable). The task at hand becomes 

one of identifying elements of the audit universe in a manner which will both allow 
their aggregation or disaggregation into auditable units which are both significant 

and manageable, and to demonstrate coverage of the complete audit universe, at 


some level of aggregation. 


Regardless of how the audit universe elements are to be covered by audits in any 
one planning cycle, the enumeration of the elements of the audit universe should be 
on a sufficiently elemental plane to allow for raising or lowering of the level at 
which they are audited from planning cycle to planning cycle without redefinition 
of the universe. It is suggested that audit universe elements be enumerated to at 
least one level below the lowest level manageable audit unit, to provide this 


flexibility and to facilitate identification of the total possible scope of an 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.13 


audit assignment. This imposes a requirement that the audit universe be identified 
in terms of its elements simultaneously with the development of manageable audit 
units. The identification of the audit universe should not be a mechanical listing 


exercise. 


This approach will have several benefits. It will facilitate reconciliation of the 
contribution of coverage by internal audit and other audit and quasi-audit or review 
groups to overall control framework review, thus facilitating joint planning of audit 
coverage; it will facilitate recognition of relative risk potential to management; 
and, it will facilitate demonstration to management/the audit committee that not 


only were their expressed concerns dealt with, but that the risk of not dealing with 
undetected potential concerns was minimized as well. 


In summary, there are two criteria to be met in identifying audit universe elements: 


1) they must be physically recognizable, and 
2) when aggregated, they must represent total coverage of the audit universe. 


Developing Manageable Audit Units 


Manageable Audit Units are groupings of audit universe elements which meet the 
test of significance (i.e. if subjected to audit, the resulting report will satisfy 
reporting requirements, at some level) and are of a size and scope such that they 


are logistically manageable within the framework of an audit assignment. 


The phrase "at some level", above, refers to the fact that a manageable audit unit 
may be treated as an audit assignment for logistics purposes, although it is not 
considered sufficiently important to be reported on separately to senior management. 
In this case the audit assignment report is used as a means of communicating findings 
and recommendations to local and intermediate levels of management, and its 
contents are aggregated or synthesized with other such material for reporting to 


senior management. 


Ideally, a list of manageable audit units would consist of those physically identi- 
fiable units (Responsibility Centres, Programs, Activities, Functions, Systems, 


Projects) which are considered to have high risk potential for senior management if 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.14 


they do not perform as intended and are judged by the head of internal audit to fit 
conveniently into an audit assignment. In other words, they would be both significant 


and manageable. Also those physically identifiable units would be mutually exclusive. 


As pointed out in the previous section, there will be cases where one or both 
conditions are not met and some form of aggregation of audit universe elements 


will be necessary. The means of aggregation may be either direct or indirect. 


In the "direct" case, the coverage in any one long-term plan may be represented at 
the level of RC which, based on reporting requirements, is of direct significance to 
senior management. The higher the level of aggregation the lower the audit resource 
allocation per RC. It is important to note that the relative significance to manage- 
ment of any one RC may change from one planning cycle to the next, thus changing 


the level at which it is audited. 


In the "indirect" case, where a sampling approach is used to satisfy reporting 
requirements, the assumptions made are twofold: first, it is assumed that the 
significance of any one RC in the sample (e.g. one of a set of district offices ina 
region) is not sufficiently great to warrant assignment of audit resources to it on 
its own; second, that activities/processes for the set are sufficiently homogeneous 
that a sample drawn from the population will be representative of all RCs in that 
category; and, that the results from an audit of a sample of such RCs will be 
representative of the whole population. This requires the creation of a Reporting 
Audit Unit so that the aggregate audit results may be properly combined for 
reporting to senior management (i.e. staff time must be allocated to gather the 


results of several audits and to prepare a report to senior management). 


Some ways in which audit universe elements may be combined into manageable 
audit units (audit assignments) or reporting audit units are described below and 


represented in Figure 4: 


Internal Audit Handbook 
Volume I, Chapter Three 


Development of Internal Audit Plans 1.3.15 
A) Responsibility Centre Audit 


B) 


A Responsibility Centre (RC) audit consists of an audit of all the 
important operations/activities undertaken by that RC (program or 
administrative), the management of that RC, and the impact of functional 


direction (program or support) on the activities of that RC. 


Columns | and 2 of Figure 4 show responsibility centres which are 
significant. They are therefore both reporting and manageable audit 
units. In such a situation the major auditee is senior management. 
Derivative auditees would be immediate and intermediate management, 
and functional groups which impinge on the responsibility centre. 
Column |, Figure 4 also represents a responsibility centre audit which 
may not be, by itself, sufficiently significant to report to senior 
management. In this case, it would probably be rolled up with other 
similar manageable audit units for reporting to senior management (as a 
reporting audit unit report) but would be reported on, as is, to local 


management (as a manageable audit unit report). 


Organizational Audit 


Organizational audits are RC audits where more than one, or parts of 
more than one RC are involved (e.g., a Division, Branch, a Region, an 
airport, a ship). In these cases, significance would normally be assigned 
to the highest level RC which would therefore become the reporting 

unit as far as senior management is concerned. The key distinction 
between an RC audit and an organizational audit is that an organizational 
audit will typically include, for example, a number of regional offices 


within a branch or a number of field/local offices within a region. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 


Illustration of 
Manageable Audit Units in Terms 
of Types of Audits 
Auditable Audits 


Responsibility Centres (RC's) 
Department/Agency 


Branch (Program A) 
1 Division (Activity A) 
|Meat Directorate 

a TY Directorate 
r3 Directorate 


Division (Activity B) 

1 Directorate 

2 Directorate Cc 
3 Directorate 

4 Directorate 


1 Division (Activity C) 
e2 Division (Activity D) 


Branch (Administration) 

1 Division (Finance) 

ives Directorate (e.g. Accounting) 

2 Division (Personnel) 

2:1 Directorate (e.g. Staffing) 

3 Division (Systems Development) 


Figure 4 


Branch (Program B) = ; 


T3216 
5 6 
etc We YS pres 
ie ch ae 
Is| Is | 
[Al IAl 
;MI| 1 Mi 
sale eile 
| | 
phi beg 
| iz 
| ! | 
ay | 
| 

| 
a yl 
oa 
em 
| in| 
| ee 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.17 


C) 


Each responsibility centre within the audit unit is assumed to be manage- 
able, however, it may not be considered significant, and therefore 
reportable, at least as far as senior management is concerned. It may 
however be possible to group certain RCs into a sampling population 

and use a sample of that population to form a manageable audit unit. It 
is, therefore, possible that adequate coverage of the audit unit may be 
provided without visiting all the subordinate RCs during a specific 
planning cycle. Those RCs that are visited should receive some form 

of feedback (a report, or at least a management letter). An organizational 


audit which includes sampling is illustrated in column 3 of Figure 4. 
Functional Audits 


A functional RC (e.g., Finance, Personnel etc., or a program) is one 
which provides functional direction, advice, and sometimes services to 
other RCs within the organization. Generally, direction is provided 
through the issuance of formal policies and directives and other similar 
mechanisms. The functional audit must include review of the effective- 
ness, efficiency and economy of the direction or service being provided 
by the functional group and the extent of adherence to its policies. To 
avoid duplication of effort, the audit may be accomplished by reviewing 
pertinent information from recently completed RC or organizational 
audits. Column 5 of Figure 4 illustrates a functional audit of the Personnel 
Function, while column 4 illustrates a combined organizational-functional 
audit, since it includes an audit of branch management as well as of the 


financial function. 


For a functional audit, a major client, in addition to the deputy head, is 
the head of the function subject to audit. The head of the function is 
also the main auditee. Derivative auditees are other, lower level groups 
within that function and the selected RC managers that were part of 


the sample. 


Internal Audit Handbook 
Volume I, Chapter Three 


Development of Internal Audit Plans | Ber Be: 
D) Program Audits 


E) 


A program audit is a responsibility centre audit of the RC charged with 
the overall responsibility for the program (e.g. a branch) and, where 
applicable, all or a sample of the program related operations of the 


program's responsibility centres (e.g. regions, field offices). 


A program audit may be identical to a responsibility centre or organiza- 
tional audit. In other cases it may be similar to a functional audit. 
Column 2 in Figure 4 illustrates a program audit. It should be noted 

that RC 2, which has overall responsibility for the program, is audited 

as if a responsibility centre were being audited. Although it would be 
possible to audit only specific program activities in this RC, the adminis- 
trative and management practices within this RC would be expected to 
affect overall program performance. It is therefore considered desirable 


to audit this type of RC in its entirety as part of a program audit. 


It is suggested that for program audits the internal audit group plan a 

joint internal audit-management project for the purpose of developing a 
mutually agreed to, predetermined control model, including acceptance 
criteria well in advance of any contemplated audit. Plans should reflect 


this two-phase approach where it is adopted. 


Systems Audit 


Although the term "Systems Audit", if one were to take the most generic 
definition of the word "system", would include all types of audit unit 
described above, the term as used here is meant to include only systems 


in the narrower sense as used by EDP or systems and procedures staff. 


A systems audit is an audit of a system used by any functional or line 
unit, or any combination of the two. This type of audit is similar in 


nature to the functional audit in that it is carried out by performing: 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.19 


i) A review of the organizational unit which is responsible for the 
overall design and/or maintenance of the system (the administering 
unit, typically the EDP group); 


ii) A review of the organizational units which host (own) the system 


(input and output); and 
iii) A review of a sample of the users of the system. 
The audit may differ from the functional audit in two ways: 


i) The system may be administered or used by either operational or 


functional organizational units; and 
ii) Direction normally flows in two ways: 


a) | The administering unit provides direction on how to use the 


system, and 


b) | The host (owner) unit provides direction on the inputs the 
system should accept and the output that the system should 


provide. 


Column 6, Figure 4 provides an illustration of this type of auditable 


unit, where Finance is the host unit. 


F) Pre-implementation Audit 


The audit of proposed legislation, policies, systems, contracts, etc., 


prior to their implementation. 


These audits are concerned generally with the degree to which the 
mechanism under design will exhibit post-implementation manageability 
and auditability, and specifically with the adequacy of controls being 
built into the proposed mechanism. They are performed at various 


points during the specification/development/design/implementation/ 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 133520 


turnover process, when the cost-effectiveness of such a review is highest. 
A second type of review that may be included in the audit scope at this 


time is an audit of the development process itself. 


G) Special Audits 


This type of audit is usually for the purpose of reporting on an issue 

that does not fit readily into a manageable audit unit or an array of 
MAUs. It would include unscheduled audits requested by senior manage- 
ment, unexpected audits caused by some fraud or defalcation incident, 
etc., as well as scheduled, issue oriented audits. Although these individual 
events are often unforeseen, a blanket, contingency provision can, and 
should, be made in both the Long-Term Plan and Annual Schedule to 


accommodate them. 


Requests for special audits which are expected to absorb significant 
resources, and which would cause planned audits to be rescheduled, 


should be considered and approved by the deputy head or audit committee. 


In summary, the identification of management concerns which resulted in reporting 
requirements, was one of the major activities in the internal audit function's strategic 
planning process. In the Long-Term Planning process these requirements are translated 
into audit issues which, along with other significance criteria, are used to influence 


the process of converting audit universe elements to manageable audit units and 
reporting audit units. 


By organizing audit universe elements into manageable audit units, which are some 
combination of RC Audits, Organizational Audits, Functional Audits, Program 
Audits, and Systems Audits, most managerial issues can be reported on. These may 
be either directly reflected in audit assignment reports or require a synthesis or 
roll-up of findings into summary or special reports (i.e. reporting audit units) for 
reporting to senior management. The remaining issues can then be covered by 
Special Audits. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.21 


In those departments or agencies where the audit universe elements are too numerous, 
or not of sufficient significance to be treated as individual manageable audit units, 
some means is needed to determine how they should be aggregated such that they 
provide audit results which are meaningful to management while satisfying the test 

of manageability. In what follows an illustrative example will be developed that 


uses a significance index for deciding on the appropriate level of aggregation. 


Criteria for Aggregating Audit Universe Elements into Reporting Audit Units/ 
Manageable Audit Units 


From the foregoing it may be seen that there are three "tests" to be employed in 
reconciling (aggregating or dissagregating) audit universe elements and reporting 
requirements. In this context "aggregating" represents a "bottom-up" approach 
(i.e. from audit universe elements to either manageable audit units or reporting 
audit units). While disaggregating represents a top-down approach. The use, 
advantages and disadvantages of each approach will be dealt with later in this 


section. 


The three tests, referred to above, are significance, manageability and coverage. 
Significance criteria will be used to determine reporting audit units (reporting 
assignments), manageability criteria to determine manageable audit units (audit 
assignments) and the criteria for coverage is simply that the whole audit universe 
must be represented by audit universe elements, at some level (i.e. the list of audit 


universe elements must be inclusive). 


Ignoring, for the moment, the approach to be used for aggregating/disaggregating 
audit universe elements, what will be demonstrated first are the various ways 
(methods of combination) in which audit universe elements may be reconciled with 


manageable audit units and reporting audit units. 


In Table 1 combinations are shown, which represent five of the methods of combining 
audit universe elements into either manageable audit units, reporting audit units or 
both. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans [e3522 


Table 1 
Aggregation of Audit Universe Elements 


Audit Manageable Reporting 
Universe Audit Audit 
Elements Units Units 
Method (AUEs) (MAUs) (RAUs) 
1 0001 001 01 
2 0002 002 02 
0003 
0004 
0005 
5) 0006 003 03 
0007 04 
0008 
4 0009 004 05 
005 
) 0010 06 
0011 006 
0012 
0013 
0014 
0015 006 
0016 
0017 
0018 006 
0019 


0020 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.23 


Method | represents the ideal case, where there is a one-to-one relationship between 
the audit universe element, the manageable audit unit and the reporting audit unit. 
However, a real world departiment/agency is seldom amenable to reconciliation in 


such a straightforward fashion. 
Other combinations that are likely to occur are as follows: 


e Method 2, where the significance test indicates that audit universe 
elements 0002 to 0005 are not significant to senior management in 
themselves and the manageability test indicates that elements 0002 to 
0005 are more efficiently audited as one audit assignment. In this case 
the audit assignment report will also be the basis of the report to senior 
management. The report to senior management (i.e. the reporting audit 


unit) may be in the form of a summary. 


® Method 3 represents a more complicated case in that two reports to 
senior management are required (reports 03 and 04) even though only 
one audit assignment report (no. 004) is contemplated. This can occur 
when senior management wishes a special report on the whole, or some 
aspect, of an audit universe element (e.g. suspected fraud or abuse) or 
when senior management wishes a special report on an issue which spans 
several elements and/or units. The audit group is then required to 
synthesize another report which covers audit findings and conclusions 


on the remaining portions of the manageable audit unit. 


® Method 4 demonstrates the case where the audit universe element is 
too extensive to be one manageable audit unit, but where senior 
management wishes only one report. In this case, results of audit 
assignments nos. 004 and 005 are combined and summarized into report 


no. 05 for senior management. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans F329 


® Method 5 represents the sampling approach to coverage. It represents 
an audit where a sample of audit universe elements is audited as one 


manageable audit unit in order to provide one report to senior management. 


What remains now is the demonstration of how significance criteria may be used to 
arrive at reporting audit units. To do this we need some measure of "significance" 


which incorporates a representative sample of significance criteria as shown in 


Table 2} (i.e. a significance index). 


The starting point for assigning significance indices to audit universe elements is 
management concerns, which have been translated into reporting requirements and 


packaged as reporting audit units, which clearly should meet the threshold test. 


However, the process cannot end there for two reasons. Meeting the threshold test 
at a specific level (e.g. Branch) does not preclude subdivision into reporting audit 
units at the next lower level which also meet the threshold test. Also, expressed 
management concerns will not necessarily represent a range of audit universe 


elements which assure total coverage. 


| A more complex, and more rigorous method of determining significance (risk) 
indices is descibed in Appendix C. 


Internal Audit Handbook 
Volume I, Chapter Three 


Development of Internal Audit Plans 


(a) 


(b) 


(c) 


(d) 


(e) 


(f) 


(g) 


CRITERIA 


size 


risk 


major changes 


previous 
internal audits 


work of other 
auditors or 
consultants 


concerns and 
needs of senior 
management 
(reporting 
requirements) 
special 
considerations 


BS Pa) 


Table 2 


Table of Significance Criteria 


DETERMINANTS 


usually determined by 


2 


revenue generated 
expenditures made 
assets controlled 
person years 


risk is a function of 


the extent and reliability of the control 
system 

the vulnerability to loss 

the vulnerability to criticism through poor 
products and services 

political sensitivity 


major changes in systems or organization 
the implementation of new systems 

the establishment of new organizations 
changes in key personnel 


dates 

findings and recommendations 

the extent of follow-up and corrective 
action by management 


(The discovery of major deficiencies in one unit 
may necessitate audits of similar units.) 


The reports and audit plans of 


the Auditor General 

the Comptroller General 
Treasury Board 

other evaluation groups 
consultants 


Have priorities been identified by senior 
management? 

Has senior management made a specific 
request for an audit to be done? 


provision for other criteria which may have an 
impact on the ranking process. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 3-26 


The only way to assure both reporting significance and coverage is to undertake a 
systematic top-down examination of organizational elements for significance greater 
than a predetermined threshold. Although this exercise may also be undertaken 
starting from the lowest level organizational elements (i.e. bottom-up), in most 

cases it would be more efficient using the top-down approach. In small organizations 
it is likely that reporting audit units and manageable audit units will be identical 

and these will most likely coincide with audit universe elements. In this instance 
there will be little or no difference in efficiency, between the two approaches. In 

the case of large organizations, not only will the bottom-up approach not be efficient, 
it may not even be feasible. With either approach, the results achieved should be 


identical. 


A significance index within a predetermined range (say | to 1000), based on a 
subjective evaluation of one or more of the significance criteria shown in Table 2, 
could be negotiated with management and assigned to organizational units within 
the department. Then, based on a threshold, agreed to with management, the audit 


head would decide on reporting audit units. 


The ideal case, where all manageable audit units turn out to be reporting audit 

units (according to the threshold test) is illustrated in Table 3, based on the hypothe- 
tical organization depicted in Figure 5. The more likely case, where manageable 
audit units and reporting audit units do not coincide is illustrated in Table 4, also 
based on Figure 5. 


In this illustration, RCs 1112 through 1114 are not sufficiently significant, at that 
level of aggregation, to warrant reporting to the deputy head/Audit Committee 
individually, however, they meet the requirements as manageable audit units. They 
will be audited individually and reported on to local management and the head of 
Finance (see Figure 5) individually, then rolled up under reporting unit no. | for 


presentation to senior management (deputy head/audit committee, ADM Admin.). 


The methods by which audit universe elements may be combined into manageable 


audit units and reporting audit units has already been illustrated in Table 1. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans e327, 


Organizational Chart 


Department Z 


RC 1000 
Admin Program | 
RC 1100 RC 1200 RC 1300 


Activity 
BA 
RCW221 


Financial 


Acctg. | |Budgeting | |Financial 
RGA IRCAN2 Systems 


RGyEhte 


Reporting 
RC 1114 


Figure 5 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 


Table 3 
Development of Manageable Audit Units/Reporting Audit Units 


(MAU = RAU) 


AUEL Significance Index? | MAU/RAU 


RC 1000 1000 

RE 1100 500 

RC -liol 100 

RC 1110 300 1 
RGus 250 % 
RG 2 150 

RCo 113 150 

REPT 150 

RC. Zo 300 3 
RG 150 

RG awit 22 100 

Ry Mt 23 100 

RC 1124 100 

RC 1200 900 

RC 1201 200 & 
RGH W210 250 5 
Ry ed 300 6 
RC wile 275 7 
RC 1220 500 8 
a her aa 175 

RC 1222 100 

RC 1223 150 

RC 1224 100 

Legend 

AUE = Audit Universe Element 

MAU = Manageable Audit Unit 

RAW A Reporting Audit Unit 

Note: 


1 See Figure 5 


2 Range a 1 to 100 (for each significance criteria used) 
Threshold = 200 


1.3.28 


Internal Audit Handbook 
Volume I, Chapter Three 


Development of Internal Audit Plans 


RC 


RC 
RC 
RC 
RC 
RC 
RC 
RC 
RC 
RC 
RC 
RC 
RC 


RC 
RC 
RC 
RC 
RC 
RC 
RC 
RC 
RC 
RC 


AUE 


1000 


1100 
1101 
1110 
PELE 
1112 
1113 
1114 
1120 
1121 
1122 
1123 
1124 


1200 
1201 
1210 
1211 
T2712 
1220 
1221 
1222 
1223 
1224 


Development of Manageable Audit Units 


Table 4 


and Reporting Audit Units 


(MAU # RAU) 


Significance Index 
1000 


500 
100 
300 
250 
150 
150 
150 
300 
150 
100 
100 
100 


900 
200 
250 
300 
275 
500 
175 
100 
150 
100 


MAU 


110 
PM 
EZ 
1B ie. 
114 
120 


201 
210 
211 
212 
220 


RAU 


COON NU 


beoe29 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.30 


Given that a top-down approach is used, what has been demonstrated in Tables 3 
and 4 is an enumeration process appropriate to any size organization. In this case a 
threshold of 200 is being used, i.e. any unit scoring greater than 200 is considered a 


reporting unit. 


In the top-down case the planner would work down the hierarchy (progressively 
disaggregate) until the threshold is crossed, i.e. the unit scores below 200 (let this 
be level n). If the units at this level are all manageable audit units then all units at 
that level become audit universe elements and the next higher level (level n+1) is 
the reporting unit level. The exception to this rule is where the unit at level n is 
not yet a manageable audit unit (i.e. too large), in which case the planner continues 
to work down level by level until manageable audit units are identified. These are 
then rolled up for reporting purposes, as described before and illustrated in Table 4. 
Again, the level at which audit universe elements are identified should be at least 
one level below the level of the manageable audit unit in order to provide planning 


flexibility. 


It may be readily seen that if the top-down method of determining manageable 
audit units/reporting units is chosen then the enumeration of the audit universe 
necessarily follows, rather than precedes, the manageable audit unit/reporting 
audit unit development process. Where level n is found not to coincide with the 
lowest level RC's in the organization the top-down approach will be more efficient 


than the bottom-up approach. 
Ranking the Audit Units 


The next step in the long-term planning process is to rank manageable audit units 
into a priority list, (according to their relative risk potential or significance) so 
that they may be sized, in terms of macro-level resource requirements and scheduled 


Over an appropriate timeframe into a formal Long-Term Plan. 


The proposed process for identifying issues, defining manageable audit units and 
ranking them will undoubtedly be iterative in nature as significance may have to be 
determined before a decision can be made as to an audit universe element's, or an 


audit issue's importance. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.31 


The process of identifying manageable audit units and reporting audit units, by 

itself, is of little value unless a method for scheduling them is established. Ranking 
of audit units serves two purposes. First, it provides a basis for deciding how 
frequently audit units should be audited. Second, it provides a method for 
determining in what order those units should be audited (refer to Table 6). In what 
follows, frequency and order are both determined on the basis of the audit unit's 
significance to management. However, for those interested in a method with greater 


rigour, a more advanced technique is presented in Appendix C. 


In the development of the long term plan, the frequency of audit of manageable 
audit units is a key consideration. In many cases, frequency of audits has been 
expressed in terms of fixed time intervals (cycles) for a department's organizational 
components, such as regions, branches or responsibility centers (e.g. Finance -every 
3 years; planning - every 4 years; program A -every 5 years). Experience has shown 
that frequency expressed solely in these terms has tended to result in some audit 
units being given unwarranted equal priority in successive planning cycles. Hence, 


a sub-optimization of scarce audit resources can occur. 


Assigning a reporting or manageable audit unit a frequency without regard for its 
current state tends to eliminate a key decision point in the plan development process, 


that of setting or changing the frequency on the basis of significance to management. 


The extent and frequency of recurring internal audits depend upon varying circum- 
stances such as: conditions found during previous audits or the lack of previous 
audit; performance reflected in management reports; overall importance to organi- 
zation; and adequacy of the internal control system. Therefore, no general rule 

can be established as to the number of times each activity should be audited in a 
particular timeframe. Nevertheless, whatever frequency of audit is selected for a 
manageable audit unit, it should be commensurate with the level of risk resulting 
from the failure to audit it (i.e. its significance to management). Therefore an 
appropriate frequency assignment technique should be an integral part of a thorough 


and well-documented planning process. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 13,92 


Use of Significance Criteria in the Determination of Audit Frequency 


The Standards for Internal Audit introduce the concept of frequency of Audit 
(Standard No. 3), and imply that one can have a variable frequency, (3 to 5 years). 
However, no guidance is provided to demonstrate that this frequency might be 
expected to vary from audit unit to audit unit and over time, nor what criteria is to 


be used to decide on the frequency to be assigned. 


In this section it is suggested that the criteria to be used to determine significance 
are the same as those used for ranking audit units (see Table 2). The process for 
assigning frequency with which audit units should be audited should be distinct 


from the process for ranking them. 


Even if the same absolute rank (significance index) is used for both purposes, a 
scale of thresholds would have to be developed which would provide the basis for 


converting a rank to a frequency. 


Level of significance may be determined by judgementally assigning a number of 
one to "n", ("n" being an arbitrary upper limit to the range over which significance/ 
rank will be assigned). This number will, presumably, be based on some implicit 
notion of significance based on the criteria supplied in Table 2 and arrived at jointly 
between the audit group and management, or determined independently by the 
audit group and approved by management. A joint determination is preferable if 
management concerns are to be adequately (efficiently and effectively) reflected. 
(N.B. This is the same method used in an earlier section in the discussion of the 
development of manageable audit units and reporting audit units). An example of 


such a frequency determination process is demonstrated in Table 5. 


A more rigorous rank/significance determination process is possible. This would 
entail taking each element in Table 2, assigning range and weighting factor scales 
to each (in order to provide for relative importance of each criteria) and totalling 
the product of range factor and weighting factor indices for any one reporting or 


manageable audit unit to arrive at an overall ranking. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.33 


In doing this, two caveats must be considered. One is that the various elements in 
Table 2 would have to be defined such that they are mutually exclusive, if they are 
to be summed without double counting. And two, the process should allow for a 

normalization routine if different numbers of elements are used for arriving at the 


rank for each audit unit. 


For a discussion of a ranking technique that demonstrates this please refer to 


Appendix C. 


One final point; as departmental programs, activities, systems, etc., wax and wane 
in importance over time, with new ones being added and existing ones dropping off 
or becoming less significant, it is important that the frequency table be updated 
accordingly. 


Ranking as to Order of Audit 


In any organization, the function of planning requires that certain activities be 
executed in preference to others, particularly in the face of scarce resources. The 
audit environment is no exception. To effectively utilize limited resources, a ranking 
of the various alternative entities that form the audit universe must occur. As in 

the case of frequency assignment, discussed above, this ranking is not expected to 

be stable over time as various audit units will either increase or decrease in priority 
based on more current information as to their state of effectiveness, economy and 


efficiency, and their relative importance. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 


Table 5 


Assignment of Frequency of Audit toMAUs 


Frequency Assignment Table (5A) 


RAU/M AU Rank/Significance 
(Scale of | to 20) 
1 D 
2 4 
3 3 a 
4/(41, 42, 43) 14 
2 1 
6 B 
i 7 
8 8 
2 20 
10 2 
ll 6 
12 9 
Frequency Table (5B) 
Frequency MAU 
Two Year Cycle 9 
Three Year Cycle 3,4 
Four Year Cycle Tes S35 ea 72 
Five Year Cycle L290, 6,010 
Legend 
MAU = Manageable Audit Unit 
RAUs= Reporting Audit Unit 
Note 


l Frequency Scale 


Rank/Significance Range Frequency (Years) 


1-5 
6-10 
11-15 
16-20 


NW 


2 RAU No. 4 consists of a roll-up of MAU's 41, 42 and 43. 


1.3.34 


Frequenc 1 
(See scale’) 


FHUNF FUUNWWUY 


3 RAUs may, in some cases, be single entry (one-shot) units based on 


independent (as opposed to ongoing) management concerns. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.35 


As discussed in the section above, "Use of Significance Criteria in the Determination 
of Audit Frequency", the criteria in Table 2 may be used as a basis for determining 
the relative rank/order of the manageable audit units, (see Table 3). A more 
convenient version of a rank/order table, for scheduling purposes, is shown in 

Table 6. Here the original assigned rank (from Table 5) is inverted and collapsed 
such that the MAUs appear in the order in which they will appear in the long-term 
planning schedule. 


It is preferable to decide on frequency of audit explicitly on the basis of significance, 
whether by use of the criteria discussed in this chapter, Appendix C, or some other 
equivalent, but equally explicit method. The more explicit the method is, as to the 
underlying assumptions made, the better. Furthermore, the decision as to frequency 
and order should be reviewed periodically on the basis of changes in the control 


framework, and therefore significance/risk potential in the intervening period. 
The advantages gained would be: 
1) decisions will be based on a consistent, rational and explicit basis; 


2) the underlying assumptions will be visible and easily reviewed to see if they 
still hold; 


3) the decisions made will be less mechanistic, more closely aligned with the 


decision criteria used by management, i.e. risk avoidance; and 
4) this approach should result in more efficient use of audit resources. 
Develop Long-Term Plan 


Table 7 displays a completed long-term planning schedule based on frequency 
requirements, as reflected in Table 5 and order requirements per Table 6. It is 
assumed that sufficient resources exist in the audit group to accommodate the 
activities assigned to each year, otherwise resources and/or audit priorities must 


be renegotiated. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 123.36 


Table 6 
Order of Audit Table 


Original Rank Collapsed and Inverted Rank/Order 

Rank/Order RAU/MAU Rank/Order RAU/MAU 
(Highest = 20) (Highest = 1) 

it 5 1 y) 

2 10 2 4/(41, 42, 43) 

3 6 3 3 

4 Z 4 2 

5 l 5 8 

6 11 6 7 

7 7 Hi At 

& 8 8 1 

g 1s 9 2 

10 - 10 6 

ll 3 RY 10 

12 - 12 5 

13 - 

14 4/(41, 42, 43) 

BS - 

16 - 

17 a 

18 - 

its) - 

20 ") 
Legend 


RAU = Reporting Audit Unit 
MAU = Manageable Audit Unit 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 1.3.37 


Table 7 
Long-Term Planning Schedule 


RAU/MAU 


9 
4/(41, 42, 43) 
3 


Z 


1 


/(41, 42, 43) 


Oo 


1 
8 
7 
1 
1 
2 
2 
3 
4 
6 
1 
5 


Development et ee ee ee ote] ee eed es ee ee 
| 

| Planning 
Training i = = dad ao 


Other see ea a 


Legend 


--- = Timing undetermined. 
RAU = Reporting Audit Unit 
MAU = Manageable Audit Unit 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 153338 


The long-term plan should include a display explaining how both managerial concerns 
and the audit universe are being covered and the resources are assigned; providing 

a general statement of scope and objective for each of the audit units and, where 
practical, some indication of anticipated benefits or results; demonstrating coverage 
of relevant central agency policies; providing for special audits; and, showing the 


extent and nature of non-audit activities. 


The general statements of scope and objectives need not be unique for each manage- 
able audit unit. For example, standard wording could be provided for all the major 
types of audit (e.g. Responsibility Centre Audits, Organizational Audits, Systems 
Audits and Pre-implementation Audits) on a word processor and then minor differences 
could be readily developed for specific instances. Of course, special audits would 


need unique statements of scope and objectives. 
Conclusion 


The attention any manageable audit unit gets, from the manager and auditor alike, 
should be based on the potential risk of not giving it that attention. For example, 
in making an independent decision that some, or all, of the financial functions will 
be audited once every three years the head of internal audit is implicitly assuming 
that the financial function is a high risk area, - higher than all those being audited 
less frequently. More than that, the head of internal audit is implicitly assuming 
that that function will continue to be a high risk area year after year no matter 
what efforts are made to improve it over those years. Neither of these assumptions 


are necessarily valid in all cases, for all time. 


Some departments and agencies, particularly small ones (in terms of budget $'s and 
PY's), will not be high risk areas in terms of resource costs. However, they may be 
highly visible and crucial to the government in either political or social terms, or 
both (e.g. Federal Mediation and Conciliation Service, in the Department of Labour; 


Legislative Programming, Department of Justice). 


Table 8 provides a display of responsibilities associated with the internal audit 


planning process. Activities 8 and 9 will be dealt with in the next Chapter. 


Internal Audit Handbook 
Volume I, Chapter Three 
Development of Internal Audit Plans 


oe fara how mice 


Responsibilities Associated with 


Activity 


Ident. mgt. 
Concerns 

Ident. Audit Issues 
Dev. RU's 


Dev. Strategic 
object plans 
Dev. Audit Universe 


Develop MAU's 
Develop L-T Plans 
Develop Ann. Sched. 
Develop Resource 


Plans 


Table & 


Internal Audit Planning 


IA 


Suggest 


Develop 
Develop 


Develop 


Develop 


Develop 
Develop 
Develop 
Develop 


Responsibility 


Sr. Mgt. 


Provide 


Influence 


Contribute to 
criteria and assgt. 


of significance 


factor 


Influence 


Contribute to 
criteria and assgt. 


of potential risk 


factors 


In House 


In House 


13.39 


Audit Comm./DM 


Advise/Approve 


Advise/Approve 


Advise/Approve 


Advise/Approve 


Advise/Approve 
Advise/Approve 


(PUAN -« 


_ 
yy 735 3 


—" ; ' ri : 


of rr ; 
‘ 
ay A 
Lf 
*4 
7 ve 
fh 
rl 
ae i] 
ve 


+ ca ae 
‘- = i oe 


" cay as iy ; 


ra ‘ns if ye ie 


ba. 


= 
rh) a 
A 7 Mig 


; 7 
ae a 
i 
: iy ioe p 
Bi i ‘ 
{ uta ‘ 
5 
; ys 
f 
; ! 
rr 
} 
i 
ur ; "el ? 


ne ee 
pltienene WM Pele th Guin 
aly Ke 


Nh any 
eae ‘una 


Ni Lite ra 
ei 


ay 


“7 
: an 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.1 


CHAPTER FOUR 


MANAGEMENT OF THE INTERNAL AUDIT GROUP 


1. OVERVIEW 


Managing the internal audit group is not unlike managing any other organization. 

In its simplest form management deals with establishing goals then seeing that they 
are met through the effective and efficient utilization of human, physical and other 
resources. Managers must be able to establish goals, devise plans, develop organiza- 
tional structures, policies, systems and procedures, acquire and allocate resources, 
direct the efforts of people, and control events so that goals will be met effectively, 
efficiently and economically, or simply effectively, if one takes the global meaning 


of the term effectiveness. 


Managing is one of the most important areas of organizational activity, because all 
managers, at all levels and in all kinds of endeavors, have a basic task of designing 
and maintaining an environment in which people can grow and develop while accom- 
plishing pre-determined organizational goals. Successful management thus requires 
a managerial temperament; the ability and inclination to inspire others to move 


toward desired organizational goals. 


The process which managers follow to achieve these objectives can be broken down 
and categorized into three main functions which include: planning, implementation 


and controlling. In a recent Treasury Board publication! 


, implementation is 
represented by organizing, leading and communicating (see Figure 4.1). Any 
complete discussion of the management process should include all these elements. 
Without meaning to understate the importance of other elements of the manage- 
ment process, it can be stated that the role of communication is particularly vital 
to the success of the internal audit function. Surveys indicate that modern internal 
auditing is highly charged with communications, in one form or another. It must be 
remembered, however, that these elements, although distinct in themselves and 
subject to scrutiny and analyses individually, do not exist apart from one another; 


they are interdependent. 


I Principles for Management of the Public Service of Canada, Treasury Board 
of Canada; 1983. 


Internal Audit Handbook 
Volume I, Chapter Four 


Management of the Internal Audit Group 1.4.2 


THE MANAGEMENT PROCESS* 
(For Audit Purposes; Main Activities Complete With Common Elements) 


internal Control Environmental 
intelligence 


PLANNING 


IMPLEMENTATION 


CONTROL 


Figure 4.1 


* Drawn from the Guide to an Audit of the General Management Process. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.3 


The management process is recursive, resulting in a loop effect as illustrated in 
Figure 4.2. Managers plan, organize their resources, lead people and then measure 
results. This in turn forces further decisions to be made in the process, depending 


on deviations between actual and intended results. 
Planning 


Planning is decision-making which involves selecting the courses of action that an 
organization will follow. At the highest level in the organization, it is the determi- 
nation of strategic goals and the formulation of major strategies, i.e. strategic 
plans. At the lowest level it is the planning of the detailed, day-to-day tasks which 


must be implemented to achieve the goals of the entity. 


Planning bridges the gap between where we are and where we want to be in the 
future. Although the future can seldom be predicted with accuracy, and unforeseen 
events may interfere with the best-prepared plans, planning does provide valuable 
lead time for those events that can be foreseen. To the extent to which there is 
planning and that planning is comprehensive and of high quality, the probability of 


success for the organization is enhanced. 


The previous chapter dealt with planning at the function level (i.e. strategic and 


long-term operational planning). 


In this chapter, responsibility centre planning will be emphasized. To the degree 
that function planning and responsibility centre planning overlap the processes 


described will be duplicated, however, the substance will not. 

Implementation 

Implementation consists of two major components: organizing and leading. 
Organizing is that part of managing that involves the acquisition, deployment and 
maintenance, of resources with respect to activities and the development of policies, 


systems and procedures to ensure their proper utilization. As such, it includes 


establishing a formal structure of responsibilities, roles and authorities. It is through 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.4 


this structure that the various work activities are further defined, classified, assigned 
and coordinated. A major focus of organizing encompasses the selection of the 

right people for the tasks involved. This means not only selecting people who have 
the education, training, experience and skills needed to do the job, but choosing 
individuals who are properly motivated. Resource acquisition also includes facilities 
(e.g. space, furniture and fixtures), materiel (e.g. clerical supplies, calculators, 


computers) and funds. 


Leading involves the provision of guidance through good communication and leader- 
ship. It has to do with encouraging and motivating people to contribute effectively 
and efficiently toward the accomplishment of organizational goals. As such, managers 
must understand the various approaches to leadership and the extent to which they 
influence employee behaviour, the various motivational techniques and the importance 


of communication in linking the various management functions. 
Controlling 


Controlling is the process of making certain that planned, organized and directed 
action is carried out as intended in order to achieve some desired goal. Controlling 
and planning are linked since the results of planning are used both as guidelines for 
implementation and for determining the degree to which plans are being met (i.e. 


control). 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 


RELATIONSHIPS AMONG MANAGEMENT FUNCTIONS 


Policy, procedures and 
standards for planning 


Plan —® Goals, Objectives, Strategies, Plans 


Policies procedures and 
standards for organizing 


— Systems and procedures 
— Staffing and other resource acquisition 


ORGANIZE ———— Systems and procedures developed, 
resources acquired 


CONTROL | 


Policies, procedures and 
standards for the instructing, 
motivating and leading processes 


People directed, instructed, motivated; 


_—_ 
LEAD results produced 


CONTROL 
CONTROL ": 


Policies, procedures and 
standards for controlling 


2ZOo-AarPAZzmemruZ-— 


\ Performance measured and 
oe 
CONTROL compared with objectives, goals 


CONTROL 


Figure 4.2 


1.4.5 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.6 


2. RESPONSIBILITY CENTRE PLANNING 


To meet its mandate in an effective and efficient manner, the head of an internal 
audit group must carefully plan its activities. Planning in the context of internal 
audit can be divided into two broad categories: function planning (Chapter Three) 
and Responsibility Centre Planning (see Figure 4.3). The focus for function planning 
is the department as a whole. Accordingly, the primary concern is how the function 
interacts with its host organization at that level. The vehicles for dealing with this 
level of concern are strategic planning, including the establishment and develop- 
ment of the internal audit policy and identification of departmental concerns, and 
long-term planning which ensures adequate coverage of the audit universe. The 
concerns of responsibility centre planning are the long-term infrastructural plan 
(which includes provision for strategic infrastructural initiatives), the annual 

schedule and associated resource plans/budgets and assignment planning. The purpose 
of this section is to integrate strategic, long term and short term planning activities 
which form the basis of internal audit as a responsibility centre. It is these plans 
which form the basis for directing and controlling audit activities as well as measuring 


the performance of the audit group. 


Responsibility centre planning, of course, includes the whole series of planning 

phases from intelligence gathering through to operational planning (see Figure 4.4), 
including resource planning/budgeting. However, because intelligence gathering, 
strategic planning and long-term operational planning are, in this case, joint activities 
having mostly to do with development and coverage of the audit universe they will 
not be treated in detail except as they impinge on the responsibility centre planning 


implementation and control process. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.7 


Levels of Planning 


in a Department/Agency 


Departmental 
(Aggregate) 
Planning 


Function 


Planning 
(i.e. Planning for the development and implementation 


of a function department-wide) 


Responsibility 
Centre 


Planning 


Figure 4,3 


Internal Audit Handbook 
Volume I, Chapter Four 


1.4.8 


Management of the Internal Audit Group 


uo1yNn9aXx3 


Buiuuejd 
Juawabeuey;, 


Buiuueld 
jeuoies2dC 


yty aIn8Ta 


Huiuueld 
91683813S 


Hulsayjyey 
e0ua6b1)|a3U| 


(jana aajuad Azijiqisuodsa y) 
M3IAY3SAO SS390U"d DONINNV 1d DIHSN3AD 


‘SS39O0Ud LNAWAOVNVW SHL 


(yuawuosAUa) 
jeusayx3 


jeusayu| 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.9 


Specifically, internal audit function planning has addressed such concerns as: 

creation, development and revisions of the internal audit policy; strategies on 
definition and design of auditable units (e.g. optimum size and type of audit, definition 
of "major" and "significant", priority strategy) and the managerial concerns they 

are to address. 


Long-Term Infrastructural Planning 


Long-term infrastructural planning (shown as management planning in Fig. 4.4) has 
to do with providing plans for acquiring or developing the capability to carry out 
the operations planned for in the long term plan in an effective and efficient manner, 


i.e. planning for the internal audit infrastructure. 


It includes such things as: organization structure, size and skill set of the staff 
(including management review groups where they are an integral part of the function); 
reporting relationships, audit committee relationships, external relations; responding 
to department-wide thrusts (e.g., realignment of program activities/organization); 
responding to department-wide policies (e.g. official language policy, special 
employment policies etc.); resourcing strategy (e.g., hire, second, rotate, promote, 
contract, use of core or in-house auditors vs specialists or contract personnel); 

staff training and development strategy (e.g., make/buy, in house/outside training, 
generalist/specialist, etc.). These strategic issues would normally have to be 
developed in conjunction with the deputy head and audit committee, and be approved 
by the deputy head. Policy, including such things as official languages, resourcing 
and staff development strategy, would involve the heads of the various functional 


groups. 


In planning for systems and procedures, an area crucial to the success of any internal 
audit group is the development of general-use audit work instruments such as audit 


guides, programs and/or techniques. 


The impetus for the development of an audit guide, or associated work instruments, 
normally arises from the identification of a need for a structured and consistent 
approach in an audit area for which no such framework exists. Alternatively, it 
may derive from the requirement to conduct a major revision to an existing guide 
to reflect current thinking and the present requirements of the particular audit 


environment. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.10 


In the case of functions which are common across the government, the identification 
of a need for guides will likely emanate from the IACIA, or its sub-committee 
responsible for the development of audit methodology, possibly in conjunction with 
the expressed concerns of heads of internal audit. Within individual departments 
and agencies, assessment of the need for audit guidance frequently will arise in the 
course of preparing a long term audit plan or even during post audit analysis of 


completed audit assignments. 


Once a need has been identified it will be necessary for the IACIA or the head of 
internal audit of a department to clarify the exact requirements and decide whether 
to refer the need to the IACIA or create a departmental project. In the first case, 
general specifications should be written up which can be submitted to the IACIA in 


order to set the parameters for the establishment of a project. 


Once the nature of the project is determined (i.e. departmental versus IACIA 


project), the need for resources can be identified and reflected in the plans. 


The Long-Term Infrastructural Plan, and the Annual Schedule described below, are 
developed within the framework of the strategic and long term operational plans 


and, therefore must be consistent with them. 


The Annual Schedule 


Audit Standard 13 of the Standards for Internal Audit states: "An annual schedule 
of planned audit assignments shall be prepared and submitted to the deputy head 


for approval." 
During this phase, specific assignments to be carried out during the year ahead are 
scheduled for audit. The schedule should provide some balance so that a variety of 


audit units are covered each year. 


The schedule should also include a description, in considerably more detail than in 


the long-term plan, of each assignment in terms of: 


- the purpose, scope and objectives of the audit assignment; 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.11 


- required resources, including human and non-human; 


- estimated timing, including starting and completion dates and total 


person days. 


It should also provide for scheduling of non-audit related activities such as profes- 
sional development, leave, developmental work and any other administrative or 
non-audit related activities. 


The schedule should be developed such that audit effort is effectively coordinated. 
It should be reviewed with other audit/evaluation/review groups both within and 
external to the department. Audit assignments should be scheduled in such a way 
as to ensure that full use can be made of knowledge gained from completed work. 
This is particularly relevant for program type audits where much of the audit 
methodology, work instruments and techniques are relatively new and experimental. 
Consequently, there is much need for post-audit review and evaluation of audit 
assignments to determine the deficiencies in the audit process in order to improve 


subsequent audits. 


Both the long term plan and the annual audit schedule should provide appropriate 
resource time for post audit reviews and evaluations as well as developmental work. 
Over the medium to long term the overall effectiveness and efficiency of the internal 


audit function should benefit proportionately. 


Planning is a continuous process and the audit manager must be continuously vigilant 
for changes in the audit universe in his or her organization which may affect the 
nature, scope and frequency of planned audits. Such changes should be properly 


reflected in the audit plans. 


Adjustments to the long term plan and annual schedule can be caused by a number 


of factors including: 


- changes in the departmental structure caused by a major reorganization 


including decentralization/centralization actions; 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group J.4.12 


- significant changes in senior management ranks, especially at the deputy 
head level. This may or may not result in changes in the audit universe 
elements but may affect their prioritization to reflect the concerns or 
desires of newly-installed senior management; 


~ changes in the audit resource base; or 


- requests for special audits. 


Aggregation for the Annual Schedule 


The long-term operational plan described in Chapter Three was prepared with a 
primary emphasis on Reporting Audit Units (RAUs), in order to more clearly 
emphasize the needs of senior management. It is now necessary to aggregate the 


audit universe elements in a way that will facilitate the audit work to be done. 


The long-term plan will have included components of manageable audit units (MAUs) 


as follows: 


Long-Term Plan 


Year | 
MAU 1 MAU 2 MAU 3 
RAU 1 X 
RAU 2 Xx X 
RAU 3 X Xx X 


It will now be necessary, for annual scheduling purposes, to reaggregate the elements 
as follows: 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.13 


Annual Schedule 


RAU 1 RAU 2 RAU 3 
MAU 1 X X 
MAU 2 X X 
MAU 3 (RAU 2) X X 
RAU 1 X 
RAU 3 X 


The manageable audit units are the audit assignments to be performed in the current 
year and the reporting audit units are to be translated into specific audit objectives 
of the assignments. Those reporting audit units which are not simply a summary 

of, or abstraction from, one MAU (e.g. RAU | and RAU 3) are listed as assignments 


along with the MAUs since additional resources are required to complete them. 


Finally, the MAUs and RAUs which absorb significant resources would be reflected 
in an annual schedule, along with other audit related projects and activities, (see 


Figure 4.5). 
Resource Planning 


The budgeting process provides for person-year and financial resources, however, 
from the point of view of resource planning there are physical aspects of resource 
acquisition and use that need to be planned for, in addition to budget considerations. 
This entails human resource planning and facilities and material planning (see 
Figure 4.6). 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.14 


Annual Schedule 
Apr. May June July Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. 
MAU 1 eH 
MAU 2 -———__ 


MAU 3 {+——___— 


RAU 1 tana Of PaO SIRE TT 


RAU 3 tn is eat Tip eisiie s Ponta SETS Ta 
Planning 
Development: 
Audit Guides +—4 aaa 
Audit Org. eee! 
Infrastructure 
Training - = cr ome 
Leave 


Misc. 


Supervision 


Figure 4.5 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.15 


a) Budget Planning 


The budget is usually the most, if not the only, visible result of the resource 
planning processes. It typically consists of salary and non-salary components 


covering all expected expenditures for the coming year (see Figure 4.6). 


In cases where the staff complement and workload are stable the budgeting 
exercise is no more than an extrapolation of the previous years figures, adjusted 
for projected salary increases and inflation. It is only when instability is 
expected that additional planning is required. When required, both human 
resource planning and facilities/material planning should preceed the budgeting 
process. Since the budgeting process is usually well delineated in departmental 


policies and procedures manuals, no more will be said about it here. 


1.4.16 


Management of the Internal Audit Group 


Internal Audit Handbook 
Volume I, Chapter Four 


g*y eInsT¥A 


Buissao01g 3$ 
oro} ke | P4ONA $10}e|Nd(eD saijddns Janes L 


a6e103g $$ $$ 


wooa|a1 a4noag 039 "nag 9g ‘Bus y9e1}U00 


quawtinioay U01198|3S 


siiyauag 


1 Aeg —s Gul|jasunod, UO{edIj1SSeID 


quauidinb3 aoeds “Jey “PUl sabenbueq |e1d!440 Bulyjers 2 Aseyes-uoN 


sainix!4 


Q AANduUinNg Ase|es 


salj|ddns 


ueld jaliarey ueld 1aBpng 
1g saliijloe4 adinosay uewnNH 


ue|g so1nosay 


ONINNV 1d 3OYNOS3SY 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.17 


b) Human Resource Planning 


Human resource planning is often a neglected area in responsibility centre 
planning. For this reason, it will be given separate treatment here, from the 


point of view of the unique concerns of the internal audit function. 


The scope of modern internal auditing is such that a wide range of skills is 
required to carry out the range of internal audit assignments faced during the 
course of any one year. No one individual is likely to have all the required 
skills. Therefore, the degree to which an internal audit group will be able to 
assemble the range of skills required, and the methods chosen to accomplish 


this, will depend on a number of factors. 


To start with, given the focus, or perspective, of modern internal auditing 
(i.e. the manager's view of departmental operations, in general, and of internal 
control, in particular), the skill set required of any one internal auditor is 


broader than it used to be. 


When internal auditing was synonymous with financial auditing, the skill set 
required was accounting and auditing. In this case an individual with an 
accounting designation, (e.g. CA, CGA, RIA) was considered adequately equipped, 


in terms of knowledge base. 


Now that internal auditing has changed, in both scope and perspective, the 
requirements for the auditor's knowledge base have changed accordingly. The 
minimum knowledge requirements for any auditor, particularly a senior auditor, 
now include auditing, management and, preferrably, one more functional- 
administrative skill such as accounting, personnel, etc. In those departments 
where the systems and procedures (processes) are heavily dominated by EDP 


facilities and techniques, EDP knowledge would be an asset as well. 


While a junior auditor could function without management training in the 
short-term, given that even operations level controls are examined from the 
managerial perspective, there would have to be close supervision by a senior 


internal auditor with the full complement of skills, including management. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.18 


Considering that skill is a combination of knowledge and experience it is 
evident that the ideal auditor would be one who has both academic training in 
management and experience as a manager. This raises a dilemma, as the 
current classification structure is such that it is highly unlikely that the junior 
auditor will have had the opportunity to acquire actual, hands on, managerial 
experience. The auditor may, however, have acquired the next best form of 
experience by acting in a management consulting capacity prior to joining the 


internal audit group. 
Where the internal audit group is too small, or where the requirement in terms 
of workload is insufficient to justify the full range of skills required, alternative 
arrangements need to be planned. These would include contracting, secondment 
and term employment. 
In the first instance, planning for human resources entails comparing the 
requirement for human resources, in terms of amount, skill and timing, to the 
resource pool that exists. If this process results in a gap then an array of 
techniques are available for dealing with it, including: 
Le Reorganization of the annual schedule, audit assignment composition 
(i.e. type, and therefore scope, of the audit assignment), or re-allocation 
of audit team members to audit assignments; 
Ze Training, for short-term gaps, and development for longer-term ones; 


3.  Recruitment/staffing (indeterminate, term) and/or divesting staff; 


4, Rotating staff (within the department, with other departments or central 


agencies); 
25 Seconding staff; 
6. Executive interchange; 


Te Participation in the Career Assignment Program (CAP); 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.19 


8. Participation in the Career Orientation Program; and 
9. Contracting. 


All the foregoing techniques require a certain amount of lead time if they 


are to be effective, therefore, they should be explicitly planned for. 


Additionally, other human resource oriented initiatives that need to be planned 
for and coordinated with related department-wide initiatives include: official 
languages (requirements, recruitment, training and development), equal 
opportunities (recruitment, training and development), security (clearance, 


change in requirements) and possibly, counselling. 


Cc) Facilities and Materiel Planning 


Just as with human resource planning, the degree of facilities and materiel 
planning required will depend on the stability of the internal audit function's 


environment. 


Figure 4.6 provides a breakdown of the components of the facilities and 
materiel area of concern. Of particular concern recently are the areas of 
word processing, EDP and telecommunications. Word processing, because of 
its extensive use in documentation preparation, and more recently, because 


of its increasing use for information storage and retrieval purposes. 


Electronic data processing (EDP), word processing and telecommunications 
are the building blocks of recent thrusts in office automation. If internal 
audit groups are to take advantage of potential efficiency and effectiveness 


benefits a considerable amount of advance planning will have to take place. 


The timing of such planning is particularly crucial where the host department 
has already initiated activity in this area; it is much more difficult to retrofit 


internal auditing needs to an existing plan, or worse still, an existing facility. 


Much of the current development activity in the office automation area is 
centred on improved capability and support for "knowledge workers". In the 


context of auditing several areas of application are worth considering: 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.20 


i Information storage and retrieval: 


1.1 Key index for cross-referencing manageable audit units and 
managerial issues at the planning stage, in order to reconcile 


coverage of the audit universe with coverage of issues. 


1.2 Related to 1.1; a cross-reference between audit assignment results 
by several indices (e.g. by reportable issue or subject, by organiza- 


tion, by function/activity, by date, by team leader/member, etc.). 


1.3. Working paper storage, assembly and retrieval, cross-referenced 
by finding, by issue, by function/activity, by organization, etc.). 
This would be particularly useful where a department-wide issue 
or functional audit is being carried out, and therefore, several 
team members, possibly working in several parts of the country, 
are contributing to one common working paper file. The data 
could be input and cross-referenced from remote terminals, thus 
shortening the time interval for assembly of findings and report 
development, speeding up the validation/response/action plan 
development process, and the follow-up process. This approach is, 
or course just as applicable for any audit assignment where several 
auditors are contributing to a common file of working papers, and 


eventually to a single report. 
2. Analytic techniques (decision aids) 
2.1 Statistical sample design, selection and analysis. 
2.2 Use of other statistical methods as decision aids (e.g. 
correlation/regression, factor analysis, baysian decision analysis, 
queueing theory models, monte-carlo simulation, statistical cost- 


benefit analysis, etc.). 


2.3 Use of deterministic decision/analysis models (e.g. deterministic 


net present value/internal rate of return analysis, variance analysis, 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.2] 


linear regression, decision trees, decision tables, EDP software 


simulation, etc.). 


oh Administrative Aids 


3.1 Filing correspondence by multiple index. 


3.2 Automated library systems. 


3.3. Time reporting and analysis systems. 


3.4 Project control systems. 


3.5 Economy/efficiency/effectiveness reporting systems. 


3. ORGANIZING 


Organizing activity develops the required infrastructure (e.g. organization structure, 
systems and procedures, methodology), acquires people, facilities and other resources, 
and arranges them in logical groupings to carry out plans and meet goals. The 

action taken to organize the internal audit activities at their highest level becomes 
one of the major strategies for achieving the goals and objectives of the internal 
auditing function. Most of the efforts in this area are, however, directed to imple- 


mentation of management plans. 


Organization of the Internal Audit Group 


The Standards for Internal Audit require that all departments or agencies that are 
subject to Treasury Board policies have an internal audit capability. This does not 
necessarily mean that all departments and agencies will have an internal audit 
organization or an internal audit group. Some smaller departments or agencies 


may choose to contract for their internal audit services. 


While the use of outside resources is often a viable alternative, there are a number 
of advantages to using in-house resources, where justified for cost or other 


compelling reasons: departmental orientation and empathy is enhanced, training 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.22 


requirements may be reduced; knowledge and experience gained by the auditor is 
retained by the department; and departmental managers are often more comfortable 


with "in-house" internal audit staff than contract personnel. 


A side benefit of having an internal audit group can accrue if the internal audit 
function is used as a training ground for staff and operational managers, through 
rotation and exchange with departmental operations. Operational managers tend 
to gain a better perspective of their department or agency, as well as additional 
insight into control practices and evaluation. Internal auditors may get to "walk a 


mile in the manager's shoes" in the rotation offsets. 


Where it has been decided that an internal audit group shall be established there 
are a number of ways in which it can be structured. However, essentially two 
organizational structures appear to emerge as most suitable for internal audit 
purposes. They are the normal hierarchical structure and the matrix or pooling 
structure. They are illustrated in Figures 4.7 and 4.8. (Although the illustrations 
provided are more applicable to large departments they can be readily down-sized 


for smaller departments/agencies.) 


In the normal structure, the reporting relationships are hierarchical and are most 
suited to those internal audit groups that decided to split the review activities by 
types of audits i.e. functional, program, etc., or along organization lines. The 
tendency here is towards specialization. The matrix or pooling structure is best 
suited to those audit functions which possess a broader, more heterogenous, set of 
skills within the group. The current trend is towards integration. Hybrid configura- 


tions which exhibit elements of both approaches are possible as well. 


In addition to the line-oriented activities of the audit group, some consideration 
should be given to allocating appropriate resources within the organizational structure 
to audit-related activities such as planning, developmental work, quality control 

and other essential administrative tasks essential to supporting the overall effective- 
ness of the function. These decisions should, of course, be justified on a cost-benefit 


basis. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.23 


Finally, internal audit managers may wish to allocate some of their approved person- 


years to secondments, rotations, trainees, etc. 


Given the range in size and complexity of government programs and activities it is 
obvious that there is no one best organization structure. Each internal audit group 
should adapt its organization structure to accommodate its own unique and specific 


requirements. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.24 <= 


Deputy Audit 
Head Committee 


_ 
— 
- 


Director 
Internal 


Audit 
Admin. Secretarial 
Support retaria 


; a | 
aay Vaan Assistant 
Assistant Internal Director Audit 
Operations Audit Directors Operatiops Planning & 
or Managers or Development 
Manager 


Senior Auditors 
(team leaders) 


Secondees/Trainees/ 
Specialists 


Ei a fe EP = 
ee ste 


Staff Auditors Secondees/Trainees/Specialists 


POOLING OR MATRIX ORGANIZATION STRUCTURE 


Figure 4.7 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 


Deputy Audit 
Head Committee 
-— 
ee 
= 
ae 
Director 
Internal 
Audit 
Admin. Secretarial 
Support 
Ass't, |.A. Directors 5 
KO or Audit Managers Say Assistant xy 
Director Audit 
Operations Operations Planning & 
or Development 
Manager 


Sr. Auditors 
ae i 
Staff Auditors 


HIERARCHICAL ORGANIZATION STRUCTURE 


Figure 4.8 


® 


Secondees 
Trainees/ 
y¥ Specialists 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.26 


However it is structured the internal audit function should generally be organized 
in a single group independent of the operations it must review. It should not be 
subdivided, with separate groups reporting to program or functional managers. 
There are several reasons for this. A single internal audit group reporting to the 
deputy head, or to a senior executive officer who reports directly to the deputy 
head: 


- provides greater independence thus facilitating objectivity; 


- provides a better perspective on department-wide issues from a senior 


management viewpoint; 


- fosters a broader viewpoint on the interrelationship of organizations 


and functions within a department or agency; 


~ places the internal auditor in a better position to make systematic 
evaluations and appraisals of all departmental programs, activities and 


operations; 


- facilitates a more efficient operation by minimizing duplication of 


effort and administrative resources; and 


- facilitates the attraction, retention, development and management of 
staff. 


Although the internal audit function is expected to provide useful feedback to all 
levels of management its primary orientation is to higher management. Therefore 

it must have staff with the appropriate collective skills and knowledge, both technical 
and managerial, to be able to successfully view the organization through the eyes 

of the management it serves. The reasons for this can be demonstrated in both 


efficiency and effectiveness terms. 


To the degree that the department wants to get maximum output for every unit of 
resource expended, the internal audit function is no exception. The internal audit 


head is expected to deploy resources such that the most material (significant) issues 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.27 


in terms of pay-back, or potential risk are dealt with. To do this the internal auditor 
must be highly cognizant of department-wide issues and problems, as those are 

likely to provide the most significant results. Also, sufficient knowledge of the 
audit unit must be gained to determine what skill set is required to successfully 
perform the audit. The skill set must be sufficient to assure results while being 
careful not to overwhelm the audit assignment with either excessive quality or 


quantity of resources. 


As to effectiveness, if it is accepted that department-wide policies, strategies and 
planning issues are at least as material as operational and administrative ones, and 
that department-wide issues, in general, are likely to be more material than local 
ones, then those concerns associated with higher level management should pre- 
dominate. To satisfy these requirements the internal audit organization must be 
situated such that it can operate at the required level without restriction or inter- 


ference by line management. 
Reporting Relationship 


The emerging trend for reporting relationships is the preferred one of having the 
audit head report to the deputy head. Alternative arrangements include reporting 
to a senior assistant deputy head (with no direct operational responsibilities) who in 


turn reports directly to the deputy head. 


In cases where the reporting relationship is not directly to the deputy head there is 
usually a split provision for administrative and functional reporting. In this situation 
internal audit plans, reports and related issues would be expected to go directly to 
the deputy head, while strictly administrative issues would be dealt with by the 


immediate superior. 


Another variation has both the heads of internal audit and program evaluation report 
to the same official, for technical and administrative purposes, who, in turn reports 
to the deputy head. The reason most often cited for the latter arrangements is the 


deputy head's excessive span of control. 


A crucial determinant of the independence of the head of internal audit, and by 
extention of the audit group, is who carries out his/her performance review. 


Preferably, this is done by the deputy head, with advice from the audit committee. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.28 


Combining internal audit and program evaluation under one head has its advantages 


and disadvantages: 
a) Advantages 


1: Both functions are interested in departmental outputs and delivery 
mechanisms. Combining the two groups under one head facilitates 


coordinated/joint planning, exchange of data and of results. 


De In some departments the required skill set for auditors and evaluators 
overlap. A combined arrangement facilitates joint recruiting, rotation, 


secondment, etc., of human resources. 


oe The two functions are sufficiently related that a senior executive can 
readily absorb them within his/her span of control while preserving 
most of the independence that would have been gained through reporting 


directly to the deputy head. 
b) Disadvantages 


Ie Contact with the deputy head and other senior management may be 


impaired, or at least less direct. 
2: Independence in auditing the Program Evaluation function may be impaired. 
33 The priorities of one function may predominate over the other. 


4, | Where combined Audit and Evaluation Committees are established, 
instead of the more usual Audit Committee, the problems involved in 


arranging and running the associated meetings may become more complex. 


In summary, there are potential advantages and disadvantages to such an arrangement. 
However, in those cases where span-of-control or other considerations mitigate 
against a direct reporting relationship, having the internal audit and program evalua- 


tion groups reporting through a position with responsibility for both may be a reason- 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.29 


able compromise, provided reasonable precautions are taken to minimize the 


disadvantages listed above. 
Personnel Management 


Personnel management is essential to organizing. It includes classification, selection, 
recruitment, training and development, counselling and evaluation of performance 
of people to operate the organization competently. Good personnel management 


depends on good planning. 


The number of auditors and range of skills is normally determined during the planning 
process. There are several diverse methods for obtaining the resource requirements 
identified. These are: hiring, promoting, training/developing, seconding, borrowing, 


rotating and contracting. 


In any decision between the use of permanent and non-permanent staff, one typically 
faces the dilemma of striking a balance between organizational/operational familiarity, 
and independence. While seconded staff could provide program/functional experience 
otherwise missing in the audit group, it would be difficult to claim objectivity if 

the audit team was not led by an auditor who was independent of the operation or 
activity being audited. On the other hand auditors working under contract, while 
providing the audit group with both supplementary skills and resources and additional 
independence, are often perceived to be lacking in empathy and grounding in the 


organization under audit. 


The solution to the problem of independence in the case of audit teams which include 
secondees and/or borrowed staff from the operations under audit, lies in the adequacy 
of supervision by a professional internal auditor. Essentially, this means using the 
secondee as an adviser who helps the auditor to ensure the completeness and integrity 
of the data used to describe the auditable unit, while relying on the auditor to perform 
the analysis and evaluation required to draw conclusions and to present the results 

to management. This approach minimizes the possibility of organizational bias, 

since the secondee is not required to judge performance but contributes to the 

audit team's greater understanding and allows for greater depth of coverage of the 


entity under audit. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.30 


An alternative in dealing with the problem of assembling audit teams with appro- 
priate academic background and managerial/operational experience is rotation. 

This means choosing aspiring managers who could benefit from wider exposure for 

a rotation placement in internal audit, either unilaterally or in exchange for a senior 
auditor. This is a move which could be of mutual benefit to the audit group, the 
individual and the department in that it provides the audit group with needed opera- 
tional and managerial experience thereby enhancing its credibility with auditees. 
Operations personnel gain valuable knowledge and experience in control theory and 
techniques, as well as a broadened knowledge of the organization. Auditors gain 
valuable operational and managerial experience. Last but not least, the organization 


as a whole gains a better trained, well-rounded cadre of managers. 


In terms of the skills set of internal audit groups, the trend that is emerging is a 
combination of core auditors supplemented by a cadre of specialists in fields such 
as finance, personnel, administration, EDP. Skills most noticeably missing are 


usually management and operations related. 


Core auditors are, and will tend to be for the foreseeable future, primarily individuals 
with accounting and financial backgrounds. The reason for this is that auditing has 
its roots in financial areas and the accounting profession has traditionally been the 
only group offering formal training in auditing. There are other alternatives emerging 
for acquiring internal auditing knowledge, including the preparation for and writing 


of the Institute of Internal Auditors! exams (i.e. acquiring a C.I.A. designation). 


At present, there is no classification group that corresponds to, or includes completely 
the internal audit function. As a result, a number of groups and levels are currently 
in use. They include AU, FI, OM, AS, PE, CS, etc. Although there are conditions 
under which a case can be made for any of the groups listed above, some reflect 

the needs of the internal audit function more closely than others. Until a satisfactory 
permanent solution is developed, departmental internal audit groups faced with a 
classification problem should consult with the Office of the Comptroller General. 

One thing is certain, regardless of which classification group is chosen, the levels 

of the auditors performing, particularly leading, the current version of internal 


auditing should be at a higher classification level, than were its financial audit 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.31 


predecessors, if they are to establish and maintain empathy/credibility with senior 


departmental functional and program management. 


Recruitment 


The head of the internal audit group faces a major task in attempting to recruit 
resources. With the expansion of the role of the internal auditor to perform audits 
of all departmental operations, it is difficult to find auditors who have adequate 
expertise in all areas. Thus, the director of the internal audit group must often 
hire staff with expertise in one of the areas subject to audit and then provide addi- 
tional training for these individuals to equip them with audit skills. The reverse 
may also be true, where a person may be hired who has been an auditor but who 


needs further training in certain functional areas to enhance audit capability. 
Orientation 


Appropriate time and material should be provided for orientation of new staff 
members. Generally, the period of orientation will last anywhere from a few days 
to two weeks depending on the individual's familiarity with the organization. Any- 
thing beyond this is often non productive as the person becomes anxious to get on 


with an assignment. 
Orientation should consist of: 
~ an overview of the structure and functions of government; 


- an introduction to staff and, depending on the level of the new auditor, 


to members of management; 


- a review of relevant documents and material including those pertaining 


to the deparimeni and to the internal audit function; 


- an overview of the internal audit function's audit approach and processes 
including its methodologies, audit approach, philosophies, strategies, 


analytical concepts and techniques, use of work instruments such as 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.32 


audit guides, programs, questionnaires, control records, etc. (An example 
of a departmental orientation package which could serve as a reference 
point for other departments interested in developing their orientation 
approach may be viewed in the OCG, Internal Audit and Special Studies 


Division library.) 
Training and Development 


To a considerable degree, training for internal auditors has traditionally been handled 
in an on-the-job fashion. Although experience has often been assumed to be the 

best teacher, it must be remembered that traditional auditing, mostly financial, 

was done within a well defined framework with relatively well-defined criteria. 

This is no longer the case, at least in the non-financial areas which currently 
comprise 80 per cent or more of the internal audit scope. With the greatly increased 
scope, plus increased and ever-changing technology, more government regulations 
and more complicated departmental activities, internal auditors cannot rely solely 

on experience to do their jobs adequately. Training and continuing education must 

be made available to members of the internal audit staff to ensure that as a 


minimum, all auditors have a sound understanding of the following: 

(a) the role and responsibility of internal audit; 

(b) the procedures and policies of the audit group and the manner in which 
they relate to generally accepted auditing concepts, including those of 
the C.I.C.A., the I.I.A. and those reflected in this Handbook; 

(c) management theory, practices and processes; 

(d) control concepts and practices; 


(e) analytical methods and techniques; 


(f) communication (interviewing, oral presentation, report writing); 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.33 


(g) the department's structure, objectives, programs, policies, operations, 


governing legislation, budgets, etc.; and 


(h) the many functional areas they may be expected to audit, including 
EDP3 


To deal with the training that may be required to adequately acquaint each auditor 
with the above, it is incumbent upon the audit head to organize an appropriate 
training and development program. This means a formalized, structured approach 

to training and development; one that provides for an ongoing assessment of individual 
as well as organizational needs, a coordinated plan to facilitate the attainment of 


the desired training or development and a means by which to follow-up on the results. 


The major objective of training is to increase the capabilities of individual staff 
members, such that they meet the requirements of their current assignments, and 
hence the effectiveness of the entire internal audit group. As such, it should be 
used strictly to upgrade staff caliber, not as a means to either reward good perfor- 
mance or fulfil some pre-conceived entitlement expectation on the part of staff 


members. It is a tool which must be used judiciously. 


The kind of training needed by an individual auditor can be determined in a number 

of ways. The preferred method is to link the determination of training require- 
ments with the requirements of the individual's assignments and with the performance 
appraisal process. This method offers an excellent opportunity for both supervisor 
and subordinate to discuss training in relation to requirements and subsequent 
performance. In other words, specific training objectives can be formulated during 


these meetings to address shortfalls in performance. 


Training requirements may also arise as a result of specific audits to be carried out 
in the year ahead. For example, audit assignments requiring technical knowledge 

or expertise not currently available within the internal audit organization, or in 

short supply, could be dealt with by providing on-the-job training to those indivi- 
duals who will be involved in such future audits. This can be done by "double banking" 
with in-house, or external (seconded, contracted) experts. Naturally, the advantages 
and disadvantages of pursuing this route as opposed to contracting out or seconding 


the necessary expertise would have to be evaluated. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.34 


Planning, guiding and directing the careers of the internal audit staff are important 
aspects of the role to be carried out by audit managers as well. To a large degree 
the head of internal audit may be evaluated by the degree of success he or she has 
in developing and upgrading staff members. Aside from providing a ready source 
for dealing with shortfalls resulting from attrition, staff members who are encou- 
raged to develop in their profession are likely to be more highly motivated and 
effective in their current performance, provided that they see some potential for 


upward mobility. 


An organizational environment which is, and is perceived to be growth oriented is 
more likely to be viewed as a desirable place to work by both incumbent and 
prospective employees. This desirable environment is supported by potential 
promotion opportunities. Promotion from within makes for good employee relations 
but it can breed sterility. An infusion of new blood can be revitalizing. A balance 
between the two is probably the best approach. To this end, it is desirable that 
departmental personne! planning provide for lateral mobility between internal audit 


and adjacent functions/positions. 
4 THE INTERNAL AUDIT MANUAL 
A departmental audit manual will serve the following purposes: 


® to communicate policy, mandate, principles, concepts, processes, methods 
and techniques for internal audit adopted by the department or agency 
to provide direction through which the quality and efficiency of internal 


auditing may be maintained or improved; 


8 to provide a source of material for both formal and on-the-job training 


of internal auditors; and 


e to provide and communicate standards through which meaningful perfor- 


mance measurement may be established within the internal audit function. 


Much of the generic content could be transferred as is or adapted from this document 


(i.e., the IACIA Internal Audit Handbook), however, there will be material which is 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.35 


unique to the department or agency involved which will have to be written specifi- 
cally for the departmental audit manual. The nature and form of the internal audit 
group's management systems will be largely dependent on relevant departmental 
systems and so will not be described here in detail. Appendix A provides some 


examples which may be useful. 


A suggested Table of Contents for a departmental audit manual is presented in 


Appendix B. 
5. LEADING 


A manager must make plans, develop the organization, systems and procedures and 
acquire resources necessary to carry them out. However, even if these functions 
are performed well, success is not assured. The manager must ensure that the 
staff carry out the plan to the best of their ability. This is the leading or directing 
phase of the job, and unless it is done well there will be a gap between plans and 


performance. 


Leading embraces a wide range of activities from the straightforward task of issuing 
oral and written instructions to motivation, often involving considerations of great 


subtlety (e.g. providing guidance without stifling initiative). 


Leading is a sub-function of management whose nature is heavily influenced by 
management style, which varies considerably from incumbent to incumbent. There- 
fore, no further elaboration will be attempted here. For those wishing to delve 


further into this area suitable references are provided in the Bibliography. 
6. CONTROLLING 


Control should be well understood and practiced by audit managers. In fact, the 

internal audit organization should serve as a model for good management practices 
within the organization. Unfortunately, this is often not the case. Audit managers, 
like other managers, get caught up in demanding work schedules, often with limited 


resources. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.36 


The internal audit manager or director must establish effective control over work 
activities. Building upon sound plans and organizational arrangements, appropriate 
systems and procedures, qualified people, and effective administrative direction, 
there must be a means of ascertaining whether resources are being utilized in the 
best way to meet goals and whether goals set out in the plans are being achieved. 
The audit manager must be sufficiently informed on the various ongoing activities 

to measure and appraise results, and have a basis for taking any necessary corrective 


action on a current and timely basis. 


On the one hand, the audit manager wishes to avoid the kind of below-standard 
performance that would discredit the function. On the other, he or she does not 

want to discourage initiative, nor install control systems which are not cost effective. 
These objectives are accomplished principally through adequate, but not overbearing, 
supervision; regular and timely, but lean, progress reports; and critical post audit 
review and analysis of results, based on clearly established, predetermined standards 


which are demanding but not unreasonable. 


The controlling process, in general, is no different for internal audit than for any 
other function. It may be summarized as three major activities for discussion 
purposes. (Rather than a lengthy discussion of general management principles, 
which are adequately covered in management literature and summarized in Volume 
Il, Book 1, Chapter 4, Management Control Concepts, this section will focus on 
those control processes and procedures peculiar to management of the internal 


audit function.) 
The three major activities are: 
a) Develop goals/standards 


The broader internal audit goals are normally expressed in the form of strategic 

and long-term plans, while specific goals and standards would be contained in the 
management plan and annual schedule in the form of audit assignments, and associated 
goals, standards and success criteria. As mentioned elsewhere in this Handbook, an 
internal audit group must develop a set of goals in its planning process, all subject 

to various control processes. Goals and plans serve the dual purpose of providing 


direction for implementation, and standards or norms against which to compare 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.37 


results. The more specific the statement of goals and the associated plans, the 


better the yardstick by which to measure performance. 
b) Measure and compare actual performance against intended results 


Results of internal audit activities are subject to measurement at two levels, 
(1) individual assignments as per the annual schedule and (2) overall effectiveness 


of the function. 


The first is basically a form of project control. It is accomplished by selecting 
strategic control points concerning the activity being performed. This would take 
the form of periodic progress reports and supervisory reviews at key dates or mile- 
stones. The assumption here is that a planning and control document (e.g. assignment 
planning memorandum, supervisor checklist and associated documentation) is adopted 
for each assignment or project undertaken by the internal audit staff, including 

both audit and non audit assignment projects in accordance with the annual schedule. 
Depending on the length of the assignment, and in addition to regular departmental 
reporting requirements, milestones should be established against which the audit 
staff must report progress relative to the approved plans. These milestones might 

be established at key points of the assignment e.g. completion of planning, 


completion of fieldwork, etc. 


In addition to controlling activities and measuring results of individual audit assign- 
ments, internal audit managers must be prepared to contend with the larger issue 

of measuring the overall results of the internal audit activity. On the premise that 
the control function revolves around the goals to be achieved and the resources 
provided, the control mechanisms are oriented to overall effectiveness and the 
optimization of resource utilization. The comparison for actual performance against 
pre-detemined criteria is intended to highlight any significant potential or actual 


deviations. 
c) Analyze the cause of the deviations and take appropriate managerial action 


When audit assignments are initially scheduled, the estimated person days are normally 


stipulated in an assignment memorandum. Based on the assigned number of personnel, 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.38 


there are estimates of when the audit work will be completed, when exit meetings 
will be held, and when reports will be completed. As the job progresses, these 
estimates need to be re-evaluated in light of changing or unforeseen circumstances. 
The important point is that the control mechanism is able to flag these situations 
and in a timely manner provide the audit manager with useful and meaningful infor- 
mation as to the actual causes of potential or actual deviations between desired 


and actual performance. 


By being apprised of and analyzing off-standard performance, whether it is time or 
quality of results, the manager is in a better position to plan future activities as 
well as make appropriate operating or personnel decisions. As an aid to current 
and future management decision-making all off-standard performances resulting in 


managerial action should be fully documented. 


Effective control then is the necessary means by which good planning, sound organiza- 
tion, selective staffing, and a proper leadership are combined to produce intended 
final results. While the earlier phases of planning and implementation must be 
adequately developed, it is the control function that determines if a steady and 


orderly march toward the established goals is being achieved. 


It is important to recognize that an effective control effort depends upon the careful 
design and effective utilization of the reports and procedures through which control 
is achieved. Good design of the specific control mechanisms is not enough. The 
second part of the effective control effort is appropriate use. This means prompt, 
vigourous and timely corrective action when deviations or other unfavourable 
developments are identified; but, the control system should be almost invisible 
otherwise. Almost, because the knowledge of its existence provides deterrent 


value, even when rarely used. 


These procedures are particularly important for internal audit (as with all staff- 

like functions) because of the lesser operational pressures to which they are subjected, 
and the tendency, on the part of professionals, to pursue activities/results beyond 

the point of diminishing returns. It is useful therefore, for the audit manager, and 

in turn his/her total group, to reappraise periodically their approach to the control 


function. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.39 


Responsibility Centre Control 


To be effective the Internal Audit manager must apply the above indicated control 
process in the same manner as any other manager in the organization. To a significant 
degree, this may be accomplished by utilizing the long term and annual plans, on 

the one hand, and the internal audit manual on the other, as means of achieving 


control over the audit group's results and activities respectively. 


To appropriately control operations, the audit manager must measure the performance 
of the audit group on an ongoing basis. This means establishing mechanisms to 

measure not only the progress of particular audits or projects, but also the performance 
of individual auditors against predetermined criteria and standards of excellence, 


and the performance of the internal audit group as a whole. 


The management information generated as a result of these kinds of comparisons 

will allow the audit manager to be in a position to take such decisions as are necessary 
to improve the overall economy, efficiency and effectiveness of the group. At the 
aggregate level, this information will provide the basis for accountability of the 

audit manager to the head of internal audit and of the head of internal audit to his 


or her superior. 


Control mechanisms such as proper supervisory review at key points during the 

course of an audit; a clearing process for audit observations and audit reports; a 
performance evaluation system; and an accountability reporting system are invaluable 
to the head of internal audit, the audit manager and the team leader for the purposes 


of control. 


For example, supervisory review of audits will help to ensure that working papers 
were prepared in the approved format, (i.e. properly indexed and cross-referenced), 
that all program steps were carried out or otherwise accounted for, and that all 
audit objectives were attained. Based on the assignment plan, the manager will be 
able to readily determine whether desired scope and depth of audit coverage was 
attained, whether audits in progress are on schedule, whether completed audits 
were concluded by their scheduled due dates and within the budgeted number of 
person-days and dollars, reasons for under/or overruns and their effect on the plans 


and schedules of the audit group. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.40 


In the following, a more detailed discussion is provided of three areas of responsibility 
centre control of particular interest to audit groups. These are Assignment/Project 
Control, Responsibility Centre Accountability Reporting and Evaluating Performance 


of Personnel. 
(a) Assignment/Project Control 
Assignment/project control consists, typically, of the following elements: 


E Assignment/project status reporting of utilization of resources 
(people/$'s) against budget, at milestones which are keyed to 
specific task completion (i.e. results) targets. (Individual and 
aggregate, for each manager and for the head of the internal 


audit group.) 
Ze Weekly time sheet. 


3. Quality control checklist for the various phases of the audit (as 
represented in the Working Papers). (At each level of review, i.e. 


team leader, manager, head.) 


4, Assignment performance appraisals for all assignment team members 


(each appraisal to be performed by his/her superior). 
Appendix A provides examples of each element listed above. 
(b) Responsibility Centre Accountability Reporting 


Accountability reporting refers to the management information, generated by 
various systems, which is available to a manager and enables knowledgeable 
decisions to be made. Depending on the individual manager, the system and 
its outputs may take many different forms. Many audit groups utilize, at a 
minimum, some form of weekly time reporting and status reporting system. 
Some of these are, of course, simply an aggregation or summary of assignment 
level control reports, however, there are others which deal with overall 


directorate economy, efficiency and/or effectiveness. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.41 


In devising control systems for the responsibility centre the design of the 
reporting systems should be tailored to the complexity of the environment 

and operations and to the needs of the individual manager. There is sometimes 
a tendency to try to provide for every conceivable contingency and in so 


doing the system becomes complicated and forbidding. 


Such a system can collapse due to the demands it places on the audit staff, or 
simply from lack of use. On the other hand, in the more usual case the 
tendency is more to provide so little information, particularly on effectiveness, 


that it is of little use for directorate evaluation purposes. 


Most effectiveness measures stop at the "output" rather than the "effects" 
level, i.e. audits completed or reports issued. This indicates that a result 


was produced, but gives no indication of its usefulness to management. 


To be sure, criteria or standards for measurement of internal audit responsi- 
bility centres are typically not as explicit, and therefore as easily measured 
against, as those for control of audit assignments (eg. ensuring all audit program 
steps are carried out or otherwise accounted for). The internal audit manager 
must utilize a considerable amount of judgement in evaluating the extent to 


which criteria have been met. 


The main ongoing process in an internal audit responsibility centre is auditing, 
which is adequately controlled through the assignment/project control process. 
The main focus of internal audit responsibility centre level contro! (performance 


measurement) is economy and/or efficiency and/or effectiveness. 


The and/or notation simply alludes to the fact that, depending on the definitions 
one chooses, economy, efficiency and effectiveness may be considered as 
separate and distinct (i.e. mutually exclusive), or they may be considered as 
sub-sets each of the next higher order control. For example, efficiency may 

be defined such that it includes economy measures, and effectiveness may be 


defined globally to include economy and efficiency measures. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.42 


This latter approach has appeal from two points of view. First, it is difficult 
to imagine a process that is efficient and not economical; and similarly it is 
difficult to imagine a responsibility centre that is effective, in every sense 
(from the manager's point of view), if it is not also economical and efficient, 


since the manager's performance depends on all three. 
8 p 9) 


Admittedly one can be "doing the right thing" and not "doing it right", to 
quote an often used definition. However, although this narrow definition may 
suffice for evaluation of a process or result, in isolation it is not very useful 
in the complete evaluation of a responsibility centre's performance, or that 
of its manager. A manager who does the right thing but does not do it right 


is simply not an effective manager. 


Second, it provides for segregation of lower level or proxy measures if adequate 
criteria cannot be developed for the next higher level while recognizing their 
inherent relatedness. For example, if output measures are not measurable 

then one can still use input (economy) measures, in terms of budgeted versus 
actual resources used. On the other hand, if efficiency measures are feasible 
the input (economy) measures are readily absorbed into combined efficiency 


indices. 


A list (not exhaustive) of possible measures for each of economy, efficiency 
and effectiveness (the 3 Es) are presented in the following pages, with both 


the global and narrow definitions for the 3 Es represented. 


Economy Measures (E Dp 


Definition 
Measure Represented 
oS Input Used (Assumes that the plan is correct). Both 
1 ~~ Input planned 

Where Input = Person-days or $'s or other resource. 
Min. E| = Cost of resource acquired, while 

meeting quality requirements. Both 
Min. EY = Cost of maintaining resources, while 


meeting quality requirements. Both 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.43 


Efficiency Measures (E.) 


Definition 
Measure Represented 
1. ey _ Output (Assumes that output can be (a) adequately = (a) Global 
2 Anput defined or (b) held constant; to be 
meaningful this ratio should be compared (b) Narrow 
or to an absolute (ideally) or at least a 
relative standard, e.g. previous period 
_ Benefits or other similar RC). 
2a. Costs 
Where: 


Output/Benefits = Audits/Reports/Findings/Findings Accepted/ 
recommendations implemented/savings 
identified/etc. Caveat: some legitimate 
audit findings/recommendations result in 
higher costs in the short-term; presumably 
for cost or performance gains in the long 


run. 
Inputs/Costs = Person-days or S's. 
Note: * This ratio is sometimes called "productivity, 


particularly when used in macro-economic terms. 


2 E, _ Productive Input 
~ Input Available 


(Usually used for purposes of measuring Narrow 
human resource utilization as compared to 
a pre-determined standard/objective.) 


E, _ Input available for assignment Narrow 
~ Theoretically Available Input 


e.g. For human resource; indicates the effect of sickness 
and other absence on availability. 


Effectiveness Measures (E 3) 


1: FE. - Qutput Achieved Narrow 
3 ~~ Output Planned 


2. p. . Effects Achieved Narrow 
3~ Effect Planned 


Effects Achieved 
3 > Output Achieved 
(Actually a form of output efficiency, Narrow 
in the economist's sense) 


E 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.44 


(c) 


(Includes achievement of all indicators Most global 
of success that were planned). 
ee Effectiveness Achieved 
3 Effectiveness Planned 


i.e. Degree to which the RC achieved what was planned for the 
RC; or what the manager achieved of what was expected, 
in the MBO sense). 


Output = (Similar to that defined under "efficiency 
measures"). 
Effects = Findings/recommendations accepted/ 


recommendations implemented/benefits 
obtained by management from recommendations 
implemented; i.e. the degree to which the 
auditee/dept. is better off as a result of 

the audit performed. 


Caveat: Although these indicators (i.e. E.s) 
are theoretically the most representative of 
the effectiveness of the IA function they 
are very difficult to use for two reasons: 


a) They are often difficult to measure, 
particularly if they result in better 
service rather than in lower cost; 
sometimes they result in higher costs. 


b) The responsibility for the better 
performance is at best, shared. 


Effectiveness = Meeting of all the goals/standards/etc., 
(for RC/Mgr.) set for the RC or manager or both. 


Evaluating Performance of Personnel 


Audit staff require regular evaluations to let them know how they are doing. 
To be effective, these evaluations should be fair and held frequently. They 
should be carefully structured and be carried out according to an established, 


consistent, and well-understood pattern. 


Internal auditing provides its own uniqueness in evaluating staff people. No 
two projects are the same. Some projects may not be challenging to an auditor. 
Others may turn out to be beyond an individual's potential or experience. 


Still other projects, which had previously been performed in a routine and 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.45 


unimaginative fashion, may be made more interesting because of an auditor's 
novel approach or innovative methods. All these factors should be considered 
in structuring the evaluation system so as to be fair to the employee as well 


as the department. 


To measure anything reasonably well requires objective standards and consistent 
methods of gauging performance. All persons who will be evaluated should be 
fully aware of the standards and the methods. Thus, the policy or program 
should be clearly communicated. The instructions should make clear what is 
considered excellent, adequate, or unsatisfactory performance. The instructions 
should also establish when and how often the evaluations will be made and 

how they will be used. It is considered good practice to have evaluations 
performed at the completion of each assignment with a roll up at least once a 


year, for the annual appraisal. (See Assignment/Project Control and Appendix A). 


The size of the auditing organization also has a significant bearing on how the 
evaluation program will be structured. A director of auditing with six people 
would have less difficulty conducting frequent and informal performance 
evaluations. A larger organization, with several supervisors and a large number 
of in-charge auditors and assistants, precludes close contact between the 
auditors and the director. In this environment, it is the supervisors who have 
the personal contact with the auditors-in-charge, while the latter have the 
contact with their assistants. And the greater the number of supervisors, the 
more remote the possibility that all evaluations in the department will be 


carried out in the same way. 


In the case where an Internal Audit director does all the evaluations he/or she 
can be completely open with staff about precisely how they were rated. When 
staff are subject to the review of different supervisors or auditors-in-charge 
during the year, the director should be careful about letting the evaluators 
have the last word. Different supervisors and different auditors-in-charge 


will most likely have varying standards, likes, dislikes, and prejudices. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.46 


One evaluation program that has worked reasonably well provides the following 


pattern: 


~ At the conclusion of each audit assignment, the auditor-in-charge 
prepares a rating sheet (see Appendix A - for illustrations) for 
each of his assistants, and the supervisor or manager prepares one 
for the auditor-in-charge. A rating for each assignment is necessary 
because of the variations among assignments. The actual ratings 
are not discussed, but a dialogue is conducted on the strengths and 


weaknesses observed on that particular project. 


This dialogue can be extremely beneficial, depending on how it is 
approached. An often successful method is for the evaluator to 
open the conversation by asking the subordinate to assess his or 
her own performance e.g. what was done well, what was done 
poorly, what was learned from the job, and what are the areas for 
improvement. This kind of dialogue can provide an invaluable 
learning experience for the employee and would be followed by 


the manager's views. 


~ At the end of a 6-month or 12-month period, the head of Internal 
Audit combines the various ratings and discusses the results with 
each auditor. These ratings and interviews are of major importance 
to the individual. In large organizations, this may be the only 
time during the year when the auditor has a chance to have an 
unhurried open discussion with the director. These should be carried 
out in a relaxed manner and result in a thorough review of the 
auditor's problems, goals and aspirations, and in a program to 


work them out. 


In filling out the rating sheets, the evaluator should seek to maintain a distinction 
between accomplishments and traits. While both are significant, each has a 
different function. The rating of accomplishments should apply to the particular 
project completed, since each project has different problems. The evaluation 


of traits deals with the qualities that auditors carry with them through their 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.47 


working lives. Traits are harder to evaluate since the evaluator is applying 
subjective standards; they are also harder to change. However, it is well for 
the head of Internal Audit to be aware of significant traits since they may 
affect decisions about an auditor. For example, a project which requires a 
large number of assistants should not be assigned to an auditor who, because 


of his/her introversion, has been unable to demonstrate an ability to supervise. 


The internal auditor combines technical competence and education with such 
personal traits as adaptability, understanding, integrity, determination and 
interpersonal skills. Thus, the head of internal audit must maintain a well- 
structured employee evaluation program to inform the auditor of progress, 


strong points and those areas where improvements can be made. 


Finally, it should be kept in mind that an appraisal may be as much an 


evaluation of the auditor's supervisor as of the auditor. 
Evaluation of the Audit Function 


As is the case with every other function or activity within an organization, the 
internal audit function is subject to evaluation. The process should review not only 
performance but also the criteria used to measure performance. In the case of the 
internal audit process, the criteria take the form of the Standards for Internal 
Audit in the Government of Canada; criteria for evaluation of operational perfor- 
mance are supplied by operational and assignment plans. The foriner serves as a 
kind of benchmark against which to judge the administrative performance of the 
audit group, while the latter is useful in assessing the extent to which the audit 
group was effective in carrying out its plans. The judgement as to the overall 
effectiveness of the internal audit group is essentially subjective in nature. It is 
ultimately made by the deputy head and reached after considering feedback received 


from various sources including the following: 


Office of the Auditor General Reviews: As part of the review of a particular 
department or as part of a government-wide audit, the OAG may review the 


internal audit function. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.48 


Office of the Comptroller General Reviews: As part of the effort to upgrade 
the quality and effectiveness of internal auditing in the Government of Canada, 


performance monitoring is carried out by the OCG. 


Outside Party Review: In an effort to determine its strengths and weaknesses 
and thereby improve performance, departmental heads may turn to outside 
parties such as private sector consulting/auditing/accounting firms to conduct 


performance reviews. 


Management: Feedback could be obtained from senior management and the 
audit committee concerning management's perception of the function. This 
kind of feedback can be extremely beneficial and informative for appraisal 
purposes, in that it indicates the extent to which the role and activities of 
internal audit are appreciated and accepted by the organization's management. 
This, however, should never be the sole determinant of the audit functions 
performance, simply because the more significant the audit findings the more 


affected and less objective the auditee managers. 


Accountability Reporting Systems: As previously described, in the "Responsi- 
bility Centre Control Section", the internal audit manager establishes control 
mechanisms to monitor the performance of the audit group. Similarly, he or 
she participates in the feedback or control mechanisms of the deputy head. 

In this respect the Standards indicate that "a report shall be submitted to the 
deputy head at least annually on audit coverage, major findings, significant 
unresolved recommendations and any other matters requiring the deputy 
head's attention." Furthermore, they indicate that "the internal audit group 
should assess whether appropriate follow-up action on the implementation of 


recommendations, has been taken and it should report inadequate action." 


There is probably no greater indicator of the effectiveness of the internal audit 
group than the extent to which its recommendations are implemented and prove 
beneficial to the auditee, and the department as a whole. Therefore, it is important 
that the head of internal audit track responses, observations, recommendations and 
action plans all the way to implementation to be in a position to adequately gauge 


the overall effectiveness of the internal audit group. 


Internal Audit Handbook 
Volume I, Chapter Four 
Management of the Internal Audit Group 1.4.49 


The above kinds of feedback are essential to the Deputy Minister, for purposes of 
departmental management decision-making, and present an opportunity for the 


audit manager to demonstrate the effectiveness of the internal audit function as 
well. 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System I.A.1 


APPENDIX A 
ACCOUNTABILITY REPORTING SYSTEM 
1. STATUS REPORT 
General 


The status report, a sample of which is shown in Figure A is a multiple purpose 
control document that provides the audit assignment control system with the following 
information (abstracted from NH&W's Internal Audit Manual; and adapted with 


permission): 


(a) Notification that an audit has been initiated; 
(b) Planned time utilization on the audit (by phase); 
(c) A revision or update of the audit plan; 

(d) A weekly progress report on the audit; 

(e) Notification that the audit is complete; and 


(f) Cumulative history of the audit. 


Whenever an audit is assigned, the audit team leader will create a status report. 
This document is retained by the team leader for the duration of the audit. It is 
used for periodic activity reporting through the audit control system and becomes a 


permanent historical record of the audit from initiation to completion. 


In the case of a non-audit assignment or project, the development of audit programs 
for example, a status report is created at the discretion of the manager. A straight- 
forward assignment of short duration does not warrant the same control as a long 
multi-phase audit, a status report would therefore not be created. As a guide, 
status reports should be created for assignments with an estimated labour content 
of one person-month or more. Special project numbers are secured from the 


administration clerk for all projects. 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 


Completion Procedure 


(i) Initiation 


Pee 


Header information: Enter the following at the top of the report: 


a. Issue: numbered serially starting at no. | and date 
b. Date: calendar date of original preparation 
G5 Auditor: name of responsible team leader 


de Audit Number: identifying number of the audit or project 


(obtained from the administration clerk) 


e. Audit Title 


(ii) Planning information 


Planning information is entered as follows: 


a. The following audit phases will be used for time reporting by phase: 
PHASE A Assignment Planning 
PHASE B Review 
54g Pavey she ©: Evaluation 
PHASE D Verification 
PHASE E Reporting 


b. Est. Person-days: estimated number of person-days required by 


phase. 


c Start-P: planned starting date of the phase. 


Start-A: leave blank until the actual completion date can be 


entered. 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System RAGS 


ad. Stop-P: planned completion date of the phase. 


Stop-A: leave blank until the actual completion date can be entered. 


e Week ending: enter the appropriate week ending (Friday) date in 
the block at the head of each column; in Figure A the first week 


of project activity was 7 Oct. 


i: The duration of each project phase is shown opposite the phase 
designator/person-days/start/stop information in Gantt chart 
fashion. Bold vertical lines mark the beginning and ending of a 


phase as shown in Figure A. 


Recording Weekly Progress 


Preparation 


An updated project status report showing progress achieved during the week is to 
be submitted for active audits and projects. The updated reports shall be given to 
the appropriate manager and to the administration clerk by Friday noon of each 
week during Phases A, B,C and D of the audit. To record weekly progress, proceed 


as follows, while referring to Figure A Internal Audit Status Report: 


a. On schedule: If the weekly progress is according to plan, enter a check 


mark () in the week-ending box opposite the appropriate phase. 


Da Behind schedule: If the weekly progress has not met the planned estimate 
and the work has fallen behind, enter the number of calendar days that 
the work is behind the planned estimate and circle the number - see 
Figure A. Enter an explanatory note concerning the delay in the notes 
block. 


c Ahead of schedule: When weekly progress has exceeded the planned 
estimate enter the number of calendar days that the work is ahead of 
schedule in the week-ending box. Enter an explanatory note, if appro- 


priate, in the notes block. 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.4 


Distribution 
Photocopy the updated status report, enter the end week date on the photocopy and 
give copies to the appropriate division chief and to the administration clerk; retain 
the original. 
Revision and Update 
Revision 
When an audit plan is altered, for whatever reason, the audit assignment control 
system must be informed. The medium for so doing is a revised status report. If 
the changes to the existing status report are few, the old information can be 
obliterated with typewriter correcting fluid and the new data entered. If the changes 
mean extensive alteration of the existing status report, proceed as follows: 

(1) increment the issue number; 


(2) enter the date of the status report revision; 


(3) in the notes block, enter a brief explanation of the reason for the revision; 
and 


(4) make a photocopy of the revised document and forward it to the 


administration clerk and division chief. 


It is good practice to place a copy of the old status report on the audit file for 


future reference. 


The following rules of thumb should be used for determining when an audit phase 
should be rescheduled: 


(1) if the elapsed time between start and finish of a planned audit phase is 


changed by 20 per cent or more; or 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.5 


(2) 


if the estimated labour input to a planned audit phase is changed by 20 


per cent or more. 


The audit phase in question, and consequently all succeeding phases, shall be 


rescheduled instead of proceeding with the original schedule plan and reporting 


days early or late. 


The following procedure shall be used when beginning a new audit phase after finishing 


the previous one late: 


(1) 


(2) 


if plans for the subsequent phase had not been included on the status 


report on late completion of the previous phase: 


incorporate the labour and time estimated for the new phase on 


the report to reflect late completion of the preceding phase; 


enter planned start and finish dates for the new phase; 


enter the actual start date (assuming the new phase is to start 


immediately); 


start the new phase "on schedule". 


If the subsequent phase has been included on the status report on late 


completion of the preceding phase: 


erase the bold vertical lines that depicted the original plans for 


the phase; 


place a revised set of bold vertical lines at the start and finish 
points of the newly scheduled phase that account for late completion 


of the preceding phase; 


enter the actual starting date in the appropriate column (assuming 


the new phase is to start immediately); 


Internal Audit Handbook 
Volume I, Appendix A 


Accountability Reporting System I.A.6 
® start the newly planned phase "on schedule"; 
® note that the original planned start and finish dates of the phase 


are not altered; 
@ adjust subsequent phase plans as required. 


The foregoing, can be adapted to situations where audit phases are 


completed ahead of schedule. 
Extension 


In many situations one cannot foresee how an audit will proceed from the outset. 

In such situations, the initial plan, and therefore the status report, will contain 
estimates of the initial one or two phases only. As these phases appproach completion 
the team leader shall add estimates of the remaining phases and enter an appropriate 


note in the notes block to record the date of so doing. 


Completion 


(1) Introduction 


In the week an audit is completed, the team leader will notify the control 
system by first entering activity information in accordance with the 
foregoing instructions. Secondly, he/she will enter "AUDIT COMPLETED, 
DATE" in the notes block. He/she will then give it to the administration 
clerk and manager. Audit completion is signified by notification from 

the auditee that the audit report in question has been received and 


accepted. 


(2) Cancellation and Suspension 


If an audit is interrupted or terminated at some point, and audit effort 
temporarily ceased, the appropriate entry shall be made in the notes 
block: 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System I.A.7 


(i) CANCELLED with reasons for cancellation - if the audit is 


terminated prior to completion, not to be re-initiated. 
(ii) SUSPENDED with reasons for suspension and date of expected re- 
start - if the audit is temporarily suspended, when the audit is re- 


started, a "RE-START" entry should be made in the notes block. 


2. WEEKLY TIME SHEET 


The following has been asbtracted from NH&W's Internal Audit Manual, 


with permission: 

General 

All audit staff must submit a weekly time sheet to the administration clerk by 
Friday noon of each week. The time sheet data which summarizes how the individual 
occupied his or her time during the week is coded and entered into the audit control 
system to produce audit cost data. The report must include data for each weekday, 
including statutory holidays, in one-quarter day portions. 

Completion Procedure 


The time sheet is completed as follows: 


a. The date, name, and initials are entered at the top of the sheet. Note 


that the date block is for Friday's date. Refer to Figure B. 
b. Audit related data is entered on the lower portion of the sheet as follows: 


(1) Activity Code 


An appropriate activity is selected from the activity code list on 
the bottom of the sheet and is entered in the three-space activity 
block. 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.8 


(2) Audit Code 


A three-digit audit or special project identifier is entered in the 


three spaces of the audit number block. 
(3) Phase Code 


Select the appropriate phase identifier from those listed on the 
right-hand side of the sheet, and enter in the space provided in 


the phase code block. 


(4) Labour Expended (quarter days) 
The number of quarter days of labour expended on the identified 
activity, entered as above, is recorded against the appropriate 
day(s) of the week. 


Summary Print-Outs 


The output of the time reports submitted is a computer print-out which is analyzed 
for the director by the administration clerk. The actual time spent on audits/projects 


can then be compared to the estimated time on Status Reports. 
Be DIRECTOR'S MONTHLY STATUS REPORT 


The following has been abstracted from NH&W's Internal Audit Manual, with 


permission: 
General 
At the end of each calendar month, the assistant director and the division chiefs 


report to the director on the status of audits and projects that are in progress or 


suspended. The report form is shown in Figure C. 


I.A.9 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 


e[NPstssud & SsNd>PP S$, YOT - unos OJLP U4sNYI2 OU *HOOM TTL HITS JJO pq - AaoH 62 | 
dn J} axHktu oy 8Tqe oq Avu - v2, YO Pa{aeys Juz qed vuyeq - ao gl | 
yam Yxuu Aq v[Npayas uo aq TI}M - Aol 9 


BqI0mM Z UPYATA dn Yysqes TTA ‘waytqoaa oy - 120 gz 


SOUUOEIE 641NO| BOP jogs Lf 4/0 804 


640 UOss0g [ONI2Y we “we jeoy4 


———— — — 


= CHEE — et te 
ae eee Se {rd ea | ee eee ; 390 9T AON 62. 

| ( 290 2 | son gt [ aon ot 
‘ “AON YT | AON BT sr 230 4T 


=| 320 vt| 220 911220 220 € eva 


4 
a 
a) 
qa 


— | ee | | | | | 


SITE ITE fee wep eto od cepa | lez te biz a ae ee ea 
ve 340 AON AvW'Q | avw'G | Aewea | avw'a 
eioves eNnayig Bijoves Bhagay 
eiboy Pevubig enioyw Pevuutig 
78 “ON 62 tB8 jades (7 uoy eT dwWoD 1AQYO = 12815 
CUB) OrvvOrses — Awjirsy Buys y qoura eed | woneruang ~ sary 
BTL 
uAolg py 
Hayes Ver YOFBTAIG wurzatog wpaoday - Appny pauyquog sero le UN SA CN TEC, 
zg ‘'249S 27 
Ostty — opeg 214Q 


eu-tols ) wey 


HIETY oO 
> LWYOdduY SNivis 


OUHIVd fd poy) - sdgar | beg 


uw aingdta 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.10 


Reporting Procedure 


On the first working day of each month, the administrative assistant provides the 
assistant director and the managers with a copy of the previous month's report. 

This copy is updated to reflect correct audit and project status and is returned to 
the administrative assistant for typing and distribution to the director, the assistant 


director and the managers prior to the seventh working day of the month. 
Report Format 


The report comprises six columns (see Figure C) into which audit and project infor- 


mation is entered as follows: 


Audit/Project: The title of the audit or project as it is stated in the audit 


control system is entered into a block in the first column. 


Team: The names of the audit or project team leader and members are entered 


in the second block. 
Starting Date: Enter the date on which the work actually began. 


Estimated Completion Date: Enter the estimated completion dates of Phases C 
and D of the audit. The events that signify the end of these two phases are 
described earlier in this chapter. Once the two estimates have been made 

and entered into the report, they are not to be changed. Revisions to schedule 
are to be shown on the project status report, not in the director's monthly 


status report. 


Actual Completion Date: Enter the actual completion date of Phases C and 
D, as they occur. 


Remarks: Any remarks required for explanation of the information entered 


as above can be included in the remarks block. 


Mokena! 
|W Health and Welfare Canada Santé et Bien-é@tre social Canada 


Internal Audit Directorate Direction de la vérification interne 
WEEKLY TIMESHEET — FEUILLE DE TEMPS HEBDOMADAIRE I ait 
Week ending Friday 
Semaine se terminant 
vendredi le 
Dad M Y-A SURNAME — NOM DE FAMILLE INIT. 
01 06 23 25 


ACTIVITY CODE AUDIT NUMBER PHASE CODE QUARTER DAYS — QUARTS DE JOUR CONTROL CLERK USE 
CODE NUMERO DE LA CODE DE AL'USAGE DU COM- 
D'ACTIVITE VERIFICATION S-S S-D M-L T-M W-M_ T-J MIS DE CONTROLE 


26 45 46 


Activity codes with an * require audit number/ EMPLOYEE’S SIGNATURE — SIGNATURE DE L'EMPLOYE(E) 


phase code. 


Les activités marquées d'un * demandent le n° 
de la vérification/ code de phase 


PROJECT PHASE CODES 
CODES DE PHASE DU PROJET : 


PROJECT PLANNING 
PLANIFICATION DE PROJET 


ACTIVITY CODES — CODES D’ACTIVITES 


ANNUAL AND STATUTORY LEAVE 
CONGES ANNUELS ET STATUTAIRES 


sop} AUDIT PROJECT 
01 PROJET DE VERIFICATION 


FIELD WORK AND ANALYSIS i 
TRAVAUX PRATIQUES ET ANALYSE 


: SPECIAL PROJECT 
500 PROJET SPECIAL 


SICK LEAVE 


eee CONGES DE MALADIE 


PRESENTATION AND DRAFT REPORT } 
C PRESENTATION ET EBAUCHE 
DE RAPPORT 


AUDIT RESEARCH AND 
DEVELOPMENT PROJECT 


COMPENSATORY LEAVE 


Ops CONGES COMPENSATOIRES 


PROJET DE RECHERCHE ET 
DE PERFECTIONNEMENT DE 
LA VERIFICATION. 


ALL OTHER LEAVE 
AUTRES CONGES 


RAPPORT FINAL 


LANGUAGE TRAINING 
COURS DE LANGUES 


DEVELOPMENT OF WORK 
INSTRUMENTS 
E PERFECTIONNEMENT DES 
INSTRUMENTS DE TRAVAIL 


GENERAL ADMINISTRATION 


1 
Ae ADMINISTRATION GENERALE 


FINAL REPORT 
5 


TRAINING 
FORMATION 


101 


TRAINING - DEPARTMENTAL 
FORMATION - MINISTERIELLE 


NHW 386 (6 -82) 


Internal Audit Handbook 
Volume I, Appendix A 


I.A.12 


dLVvd 
ONTLYVLS 


SMYVWaY 4LVd NOILATdWOO | ALVG NOILATANOO 


IWALOV da LVWILSa LOICOUd/ LIGAV 


*4O ALITIGISNOdSau 


Accountability Reporting System 


ee 


JO SV LYOddd SNLVLS SLOaLOdd/SLIGAV 


Dd e1n3ty 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.13 


4. QUALITY CONTROL 


Quality Control of assignments is typically carried out by examining the working 


papers. The following pages contain an example of a "checklist for reviewers". 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.14 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


PART I (to be completed by Chief/Audit Manager) 


Assignment Planning Phase 


r. Does the audit planning memorandum set out: 


broad objectives of the audit related to Terms 
of Reference provided to Team Leader; 

specific activities to be audited (including an 
overview flowchart if applicable); 

audit methodology; 

supervisory review requirements; 

budget of staff-days and other resources in 
sufficient detail to be useful as a control device; 
any other matters, (e.g., restraints on availa- 
bility of auditee and audit personnel, dependence 
or other auditors, etc.); 


responsibility for the drafting of audit report? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System eed 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Be Is the estimate of resources required per the planning 
memorandum in sufficient detail to act as an effec- 


tive control over each audit phase? 


Does the estimate of resources needed identify: 

~ the level of skills required; 

- specialized skills, e.g. software support; 

- amount of total resources needs to be filled by 
professional services; 


- travel requirements - dollars and time? 


3. Do the activities selected for audit warrant exami- 
nation in the light of the information contained in 
the working papers relating to known weaknesses, 


materiality and any other matters? 


4, Does the information in the working papers support 


the audit methodology selected? 


Ds Has a plan/structure been prepared for the working 


papers for the subject assignment? 


6. Has there been communication with the auditee in 


preparation for the review phase of the fieldwork? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 


Accountability Reporting System 1.A.16 
CHECKLIST FOR REVIEWERS Section 320 
YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


The Review Phase 


ie Do the working papers include notes of preliminary 


meeting with auditee manager? 


Le Do the notes of the preliminary meeting show that 


the auditee is aware of: 


planned objectives and scope of audit assignment; 
the audit approach; 

clearance procedures for observations; 

clearance procedures for audit reports; 

timing of audit; 

the need to inform auditee staff of the auditor's 


right of access to information and cooperation? 


3s Do the notes of the preliminary meeting contain 


information on: 


the activities in each organizational element 
under review; 

problem areas which auditee wishes to be 
reviewed; 

systems revisions or studies under review in 


area? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.17 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


4, Has the information obtained from the preliminary 
meeting with the auditee manager been taken into 
account in revising and setting out in the audit 
assignment memorandum: 

- the activities selected for audit; 
- the audit approach; 


~ the estimates of resources required? 


Ds Was a predetermined control model developed if 


one did not exist at the beginning of the assignment? 


6. Have the auditees systems and processes been 


documented and validated? 

th Has a limited review of the auditee's controls been 
carried out, and potentially significant audit issues 
identified? 

8. Has an evaluation plan been prepared? 

Evaluation Phase 

1. Do the working papers show that the control frame- 
work under review has been adequately documented 


in the Review phase? 


COMPLETED:BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.18 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Ze Do the working papers contain evidence of the 
limited verification of documentation in the Review 


phase? 


Ey Do the working papers show that an evaluation has 
been done of any environmental controls within 


which the system operates? 


4, Has the impact of the environmental controls been 
taken into account in assessing the apparent defi- 


Ciencies in the control framework? 

os Have all questions on the standard control question- 
naires or checklists, used to evaluate the financial 
control framework been answered, (e.g. CICA guides 
and FitzGerald matrices). 

6. Does any control questionnaire need amendment? 

7. Do the working papers identify those areas where 


there is great potential exposure? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 


Accountability Reporting System lElaeel 8S) 
) CHECKLIST FOR REVIEWERS Section 320 
YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


8. Do the working papers: 

~ identify the essential controls, significant 
weaknesses or deficiencies and the major 
inefficiencies in the financial control framework 
examined; 

- document the identified essential controls, 
significant weaknesses and deficiencies, etc., 
in the 
- Register of Key Controls; 
- Register of Control Weaknesses and 


x \ Inefficiencies? 


ae Do the working papers, namely the Register of Key 
Controls and the Register of Control Weaknesses 
and Inefficiencies, indicate the nature of the control 


or deficiency and the materiality of the deficiency? 


10. Where the control questionnaires indicate that there 


are compensating controls are these set out separately? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.20 


CHECKEISIMFOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Ie 


12. 


133 


Were needs for verification identified and verification 


plans/programs developed where needed? 


Was a cause-effect analysis performed and docu- 


mented for each material or significant finding? 


Were preliminary audit findings, conclusions and 


proposed recommendations developed and documented? 


The Verification Phase 


Prior to Exit Interview 


Were the objectives of each verification step clearly 


defined prior to the development of an audit program? 


Do the working papers show that the verification 
steps used, included in the audit program, were 


properly planned with a view: 


- to verifying that key controls are operating as 


designed and are effective; 


- to substantiating significant deficiencies and 


major inefficiencies, assessing their effect, 


and identifying their root causes? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1Ave2 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO. "REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Shs Do the working papers show that any additional 
significant deficiencies and major inefficiencies 
disclosed during the verification of essential controls 
were subject to the same verification as those origi- 


nally identified in the Evaluation phase? 


4, Do the working papers confirm effective operation 
of essential controls and indicate: 
~ materiality of any errors found, i.e. risk of 
loss, nature of transaction, and the volume of 
the system; 
~ confidence levels of findings; 


- results of verification steps? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.22 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Ds Do the working papers substantiate the existence of 
significant deficiencies and major ineffeciencies 
noted and show: 

- the causes; 
- the potential effects; 


- details of the results of the verification steps? 


6. Do the working papers substantiate all observations 
to be discussed at the exit interview with the auditee 


manager? 


fe Do the working papers indicate where findings could 
be substantiated with qualitatively better or more 
reliable evidence which has not been obtained because 
of additional costs (i.e. a diminishing returns decision 


was made)? 
8. Do the working papers indicate the estimated cost 


of the qualitatively better or more reliable informa- 
tion to support the audit findings? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 


LeAsZ3 
CHECKLIST FOR REVIEWERS Section 320 
YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


We 


2. 


hee 


Do the working papers indicate that the auditor-in- 
charge has exercised proper supervision over audit 
staff carrying out the audit assignment by initialling 


each page? 


Are the list of observations to be discussed at the 
exit interviews with the auditee manager indexed to 


the working paper file? 


Do the working papers indicate major deficiencies 
or other significant findings requiring presence of 


chief at exit interview with auditee manager? 

Do the findings indicate a necessity for exit interviews 
at management levels other than the auditee 
manager? 

Have minor findings cleared at lower level and not 


to be reported further been adequately substantiated? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.24 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 

After Exit Interview 

1 Have the facts of all findings of the audit been 
verified and discussed with the auditee manager at 
the exit interview? 

2; Has the initial reactions of the auditee manager, to 
the audit findings discussed at the exit interview, 
been noted in the working papers? 

3: Have the major findings, (both positive and negative) 
of the audit been identified for inclusion in the audit 


report? 


4, Has an outline of the form and content of the audit 


report been prepared? 


COMPLETEDIBY. 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1As25 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Assignm ent Report Phase 


Draft Report 


i. Does the report meet the criteria set out in section 
on Report Writing regarding: 
- format; 
- contents; 
~ provision of a record against which corrective 
action can be measured; 
- communication of results to appropriate 


officials? 


2 Does the report set out the objectives and scope of 
the audit and relate the findings, conclusions and 
recommendations to those objectives and scope in a 


logical manner? 


Bs Does the summary of findings and conclusions relate 


to the objectives of the audit? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System ].A.26 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


4, Does the summary of findings, (both positive and 
negative) and conclusions present an accurate synopsis 
of the findings etc., contained in the main body of 
the report, and is the level of presentation 
commensurate with the level to which the summary 


is being targeted? 


De Are all findings and recommendations in the report 


supported by the working papers? 


6. Is adequate account taken of corrective action already 


initiated by the auditee? 


7. Is the file copy of the report in the working papers 


referenced to the working papers? 


8. Does the report include a section on the extent and 
effectiveness of corrective action taken on obser- 
vations and recommendations included in preceding 


audit reports? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System LALZy 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 
a3 Have all observations and recommendations in the 


report been fully discussed with the auditee managers 


including, where appropriate, functional managers? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System I.A.28 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Final Report 


if Has the proposed distribution list for the report 
been reviewed to ensure that all interested parties, 


both line and functional, receive copies of the report? 


2 Does the report include the comments on the findings, 
conclusions and recommendations included in the 
report, by: 

- the auditee and functional managers; 
- the senior management of the auditee and 


functional managers? 


3: Have all changes to the draft report been cleared 
with the: 
- auditee manager and functional managers; 
- senior management of auditee and functional 


managers? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 


Accountability Reporting System AZ? 
CHECKLIST FOR REVIEWERS Section 320 
YES/NO” “REFERENGE OR 
OR N/A COMMENTS 


Assignment title 


Final Review 


1. Have all questions in the audit programs been 


answered satisfactorily? 


Ze Have all outstanding items in the working papers 
been cleared as: 
- not material and only reported verbally to 
auditee managers at exit meeting; 
- significant and included in audit report; 


- items for follow-up at next audit? 


De Have those parts of the audit plan completed by 
audit agents been reviewed in the light of: 
- the agent's contact of audit services to be 
supplied; 


- the agent's audit report on the area audited? 


4, Have the working papers been fully indexed and 


adequately cross-referenced? 


ae Is the "Permanent" file properly maintained? 


COMPEETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 


CHECKLIST FOR REVIEWERS 


Assignment title 


Quality Control 


Ee Does the review of working papers and audit report 
show that the Branch's standards have been adhered 


to? 


Ze Do the working papers show evidence that efficient 
and effective use has been made of the audit staff 
(both in-house and contract) for purposes of the 


audit? 


COMPLETED BY 


1.A.30 


Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System Ano) 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Audit Staff 


i. Do the working papers show evidence of proper 


supervision of audit staff during audit? 


2. Have all performance review reports for audit staff 


been prepared and discussed with them? 


Bs Do the written evaluations identify a need for further 
staff training, either: 
- on the job, or 


- formal training? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 1.A.32 


CHECKLIST FOR REVIEWERS Section 320 


YES/NO@ REFERENCE OR 
OR N/A COMMENTS 


Assignment title 


Budget of Resources 


[ Has the budget/time summary been completed to 
date? 
2. Have variances between budget and actual been 


satisfactorily explained? 


Follow-Up 


Ne Do the findings of the audit show need for further 
review: 
- in other areas of financial administration not 
presently being audited; 


- in future audits of the same area? 


Zs Have all significant findings of a permanent nature 


been noted in the permanent audit file? 


33 Has a proposed follow-up plan been developed? 


(Subject to input/approval by the Audit Committee.) 


COMPLETEDIBY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System ie\eoo 


CHECKLIST FOR REVIEWERS Section 320 


YE S/NOMAREFERENCGE OR 
OR N/A COMMENTS 


Assignment title 


Part II - (To be completed by Director, Internal Audit) 


Assignment Planning Phase 


i Do the objectives of the audit assignment as set out 
in the planning memorandum, complement the long 


term and annual plan of audit for the Branch? 


Z: Are the following, as set out in the planning 
memorandum, acceptable as a basis to meet the 
objectives of the audit: 

- the specific activities selected for audit; 
- the audit approach selected; 


- the estimate of resources needed? 


COMPLETED BY 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System 


CHECKLIST FOR REVIEWERS 


Assignment title 


Final Review 


i Were the approaches to the audit, the selection of 


activities audited and the performance of audit 


staff satisfactory in the light of the planned objectives 


of the audit and the audit results achieved? 


De Has our work been in accordance with: 
- the mandate of the Branch; 
- professional standards and Branch quality 


control? 


3% Are the observations and recommendations in the 


final report fully documented in the working papers? 


4, Have all outstanding matters been reviewed and 


cleared with auditee managers? 


Dt Has the chief's supervisory review checklist been 


completed satisfactorily? 


COMPLETED BY 


1.A.34 


Section 320 


YES/NO 
OR N/A 


REFERENCE OR 
COMMENTS 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System TAG) 


5. | PERFORMANCE APPRAISALS 


Procedure 


As audits are completed, team leaders should appraise the performance of each 

team member. At annual appraisal time the director and assistant director/manager 
consolidate the contents of all audit appraisals from the preceding fiscal year into 

an annual appraisal which is filed in the individual's departmental personnel file. 

The collection of audit appraisals is then destroyed. In the same manner as team 
leaders appraise the performance of their team members, the division chiefs/managers 


appraise the audit performance of the team leaders. 


In the following pages three examples are provided, with permission 


(some slightly modified). The sources are: 


ihe DRIE, Internal Audit Group 
Ze NH&W, Internal Audit Directorate, Internal Audit Manual 


3: DSS - Services, Audit Services Bureau 


TS Ate 3.0 


EVALUATION DE PROJET 
DE VERIFICATEUR 


Gouvernement 


R& Government 
of Canada du Canada 


Regional Industrial 
Expansion 


Auditor's Name — Nom du vérificateur 


AUDITOR PROJECT 
APPRAISAL 


Expansion industrielle 
regionale 


Time charged to Audit — 
Temps charge a la verification 


Classification 


Description of Audit Assignment — Description du projet de verification Project No. — N° de projet 


see definitions below < 
: Fake S 
Voir les définitions ci-dessous & 
K 
= 


FOES 
ise rN & ag 
CH Caen eS 
5 2 S a owes 
OS OO SL WS 
> SO) DOG Q @ 
; Sig ISLS an OS 
AUDITING CAPABILITY APTITUDE A FAIRE DE LA VERIFICATION SS ia) @ i) 


Planning and organizing work 

Preparing audit programs 

Identifying significant factors 

Gathering complete supporting evidence 
Interviewing 

Preparing and maintaining working papers 
Analysing material 

REPORTING AND PRESENTATION 
Preparing draft observations 

Preparing and presenting exit interviews 
Preparing draft audit report 
PROFESSIONAL CONDUCT 
Maintaining compatible relationships 
Dependability 


Maintaining confidentiality 


Planifier et organiser le travail 

Rediger des programmes de veérification 
Déterminer les facteurs importants 

Rassembler toutes les preuves a l'appui 

Faire subir des entrevues 

Reédiger et tenir a jour des documents de travail 
Analyser la documentation 

RAPPORTS ET PRESENTATION 

Rédiger des ébauches d’observations 

Préparer et tenir des entrevues de depart 
Reédiger des ébauches de rapport de verification 
ATTITUDE PROFESSIONNELLE 

Entretenir des relations compatibles 

Fiabilite 

Assurer le caractere confidentiel 


Satisfaire aux délais convenus 


Meeting agreed deadlines 


eS gO eae 
a pe Se ai pi ee Ea) 
Cel) ) Teas Tt Th Fi gaa ae a 
ELEVEVED EVE: (2 aye ees 


Unsatisfactory: An individual does not meet one or more of the fundamental requirements of the 
position. Possible indicators of unsatisfactory performance are: quality of the work depicts serious 
shortcomings or the quality produced is below what is acceptable. and the results are inadequate: due 
dates are often missed; lack of understanding of job after review with supervisor: insufficient attempt or 
lack of ability to improve and little initiative in work and accomplishment: working relationships with 
others are poor to the point of being seriously detrimental to the work. 


Satisfactory: Work performance, in the overall. is sufficient. The fundamental requirements of the 
position have been discharged in an adequate manner. Many of the expectations and results. as 
previously considered by the supervisor and the subordinate have been met. Examples might be that 
work has been generally completed on schedule but. in some instances. time frames have been 
exceeded; has on occasion required additional direction and overseeing: most policies and procedures 
have been understood but some objectives have not been realized. There is a recognizable require- 
ment for additional training or refurbishing of skills and knowledge. especially in order for the pertor- 
mance level to become “fully satisfactory” 


Fully Satisfactory: Represents thorough competence and adeptness. The criteria and expectations 
which have been established by the supervisor with the subordinate have, without any significant 
exceptions, been met and may sometimes have been exceeded. Examples might be: always com- 
pletes work on time and within budget; works within agreed upon responsibilities and objectives: 
policies and procedures are clearly understood and successfully applied; thoroughly comprehends 
and contributes to the role and mission of the work unit; copes with more important problems. In 
summary, this level of performance consistently meets all the requirements of the position. 


Superior: Represents significant and tangible breakthrough in work over the course of the perform- 
ance period beyond the competent level. This is designated when an employee's performance is 
generally beyond the requirements of the position and the criteria established. Examples might be: 
employee always completes work on time and within budget, and frequently ahead of both: performs 
work well independently; identifies solutions to most problems, responsibilities and objectives have 
often been surpassed: seeks additional responsibilities: successfully manages several activities or 
projects within the same time frame; identifies areas where practices or policies might be improved: 
demonstrates initiatives in work, etc. In summary performance results in this category clearly moves 
the work of the unit ahead. 


Insatisfaisant: L employe dont le rendement correspond a cette categorie ne peut repondre a une ou 
plusieurs exigences fondamentales du poste. Voici quelques indices qui peuvent permettre de deceler 
un rendement insatisfaisant’ de graves lacunes sur le plan de la qualite du travail ou une qualite de 
travail en deca des normes acceptables et des resultats inadequats: des difficultes frequentes a 
respecter les delais: une mauvaise comprehension du travail apres examen avec le surveillant. des 
efforts insuffisants ou un manque d amelioration: peu d esprit d initiative vis-a-vis du travail et de son 
execution; de mauvaises relations de travail avec ses collegues qui mettent serieusement son travail 
en peril. 


Satisfaisant: Cette categorie s applique a un rendement au travail qui. dans | ensemble. est suffisant 
Le titulaire s acquitte adequatement des exigences fondamentales du poste |i atteint plusieurs des 
objectits et resultats qu il a etudies auparavant avec son superieur A titre d exemples. le travail est 
geéneralement termine a temps. mais il arrive parfois que les delais ne sont pas respectes: qua 
Voccasion, il est necessaire d assurer une orientation et une surveillance supplementaires: que 
'employe comprend bien la plupart des politiques et procedures. mais rn atteint pas certains objectifs |! 
est evident que le titulaire a besoin de formation plus poussee et que ses aptitudes doivent etre 
ravivees et ses connaissances rafraichies. tout particulierement pour lui permettre d atteindre un 
niveau de rendement “entierement satisfaisant’ 


Entierement satisfaisant: Cette categorie de rendement est retenue dans le cas d un employe qui lait 
Preuve dune competence a toute epreuve. Les criteres et prevision etablis par le superieur et 
"employe sont respectes, sauf dans de rares occasions. et parfois ils sont meme depasses. Par 
exemple. employe termine habituellement son travail en respectant les delais et budgets prevus. || 
travaille en fonction des responsabilites et objectifs convenus: les politiques et procedures lu! sont 
familieres et il les applique avec succes: | comprend bien le rdle et la mission de | unite de travail et 
contribue a les mener a bien: il reussit a venir a bout de difficultes plus importantes. Bref. | employe de 
cette catégorie répond a la majorite. voire a toutes les exigences du poste 


Supérieur: Dans cette categorie de rendement. on retrouve les employes qui ont accompli de facon 
plus que convenable. pendant la periode visee. des travaux importants et tangibles. Autrement dit. le 
rendement de l'employe se situe genéralement au-dessus des exigences du poste et des criteres 
@tablis. Ainsi. employe termine toujours son travail en respectant les delais et budgets prevus. et 1! 
arrive méme qu il puisse fournir le travail plus vite et a cout moindre: il peut s acquitter seul de son travail 
de fagon adéquate: il trouve des solutions a la majorite des problemes: ceux qui lui ont fixes: 1l cherche a 
obtenir plus de responsabilites: il parvient a administrer avec succes plusieurs activites ou projets dans 
un méme deélai: il peut cerner les secteurs nécessitant des ameliorations sur le plan des pratiques ou 
des politiques: i! fait preuve d'initiative; etc. En resume. un rendement pouvant étre qualifie de 
superieur faisant. sans aucun doute possible. avancer | unite de travail tout entiere 


0105-5 (2:84) 


Internal Audit Handbook 
Volume I, Appendix A 
Accountability Reporting System IT.A.37 


Comments 
Note: Use separate sheet of paper if necessary 


a SS SS EE Ee ee ee eee ee 


Supervisor’s Comments 


Date Signature 


Director’s Comments 


Date Signature 


Employee’s Comments 


| have read and understood this appraisal 


Date Signature 


Internal Audit Handbook 
Volume I, Appendix A 


Accountability Reporting System 


Auditor's Name 


Nom du vérificateur 


Description of Audit Assignment 
Description du travail de vérification 


@ AUDITING CAPABILITY/APTITUDE A FAIRE DE LA VERIFICATION 


. Planning and organizing work 
Pianifier et organiser le travail 


. Identifying significant factors 
Déterminer les facteurs importants 


A Gathering complete supporting evidence 
Rassembler toutes les preuves a |’appui 


s Interviewing 
Faire subir des entrevues 


; Preparing and maintaining working papers 
Rédiger et tenir 4 jour des documents de travail 


. Analysing material 
Analyser la documentation 


@ REPORTING AND PRESENTATION/RAPPORTS ET PRESENTATION 


Preparing draft observations 
Rédiger des projets d’observations 


Presenting exit interview 
Présenter |’entrevue finale 


Preparing slide material 
Préparer de la documentation sur diapositives 


Preparing draft audit report 
Rédiger des projets de rapport de vérification 


@ PROFESSIONAL CONDUCT/ATTITUDE PROFESSIONNELLE 


Maintaining compatible relationships 
Entretenir des relations compatibles 


‘ Punctuality: Interviews and Teambacks 
Ponctualité: Entrevues et “‘teambacks”’ 


Maintaining confidentiality 
® Assurer le caractére confidentiel 


Following instructions 
Suivre les directives 


SIGNED/ 


SERS Audit Team Leader 


Le Chef d’équipe 


AUDITOR'S PERFORMANCE REPORT 
RAPPORT DE RENDEMENT DU VERIFICATEUR 


Classification 


Classification 


(Qualifying Remarks on Reverse Side of Form) 


Length of Service 


Durée de service 


IT .A.38 


(Observations concernant les qualifications au verso du formulaire) 


Unacceptable Acceptable 
Inacceptable Acceptable 


ACKNOWLEDGED/ 


RECONNU: Audit 


Le Vérificateur 


Fully 


Pleinement 
satisfaisant 


APPROVED/ 
APPROUVE: 


Satisfactory 


Superior Outstanding 
Supérieur Remarquable 


Director 
Le Directeur 


Internal Audit Handbook 
Volume I, Appendix A 


a hsys esi) 


Accountability Reporting System 


‘alidog UO!}eO1|dxa uN jUab!xe $a14069}e9 XNAP $89 e $99}Nd!J}1e SE109 sa] , 


‘sasoduul Ss nad Uo!}eJDajje a||aANOU 
auQ ‘sajewlullW satwiou xne sed puods au JuaWapued 2] 


“UOIPEUIOS 
ap Je JUeWAUUO!}Oe}198d ap U]OSaq }UO S}| ‘aisod 1na| ap 
saquabixa $a| sayno} e Sed yUO4S|}eS BU INb spAC|dwe sa| INOd 


‘aysod 41naj ap S}1398/qo saj sno} anbsaid }UaUb!a}je 3a sajesgueb 
saouab!xa sap 1ednid e| e }U04sI7es inb saAo|diwa saj 4NOd 


“aquesieysizes UOSe} 
aun,p a1sod naj ap s}130a/go sej snoy juaubiaie 3a sajeigugb 
sa0uabixa $8] $8}NO} e }UOJSI}eS inb saAo|dua sa| 1nd 


a1sod ina| ap saouabixe xne ailejsizes 
anb xnaiw 1UO} 38 s}139e/qo xnedioulid sap jednjd e| 
juatua|jaizueysqns JUassedgap inb saAo\dwa saj 1N0dg 


‘jauuol}daoxe aiBap un e ajsod 41naj ap saouabixa sa| $8}N0} e 
juOJsizes 1a $}130a[go sa| $sNOd juauWe}sUOD JUAaSsedap S$|| 
‘yaynosip e sed jsa,u JuaWapua 3] }JUOP saAo\dwa sa| 1NOdg 


oe 


‘318VLdS9090VNI 


:318Vida99V 


‘LNVSIVSSILVS 


‘LNVSIVASILVS 
LN3SWANIA1d 


TunalygdNs 


-F1EVNOYVWSY 


a ra 


HNaLVIOJUddv,1 30 NOILNALNIT 
¥ NOILWI03UddV.G SalHO931V9 


$30 NOILdIHDS30 JAYS ANN IDIOA 


* 


* 


“uoljzeue|dxa Ua}1I4IM e asinbad saiio6aze9 OMY asau} Ul uani6 sbuizey 


‘peyeoipul aq Aew Jue 
-uBisseay “spsepueys WNUWIUIW eat JOU SBOP BOURWIOJIIg ° 


“Bulules 
pue Juawdojanap Jayyiny pseu Asyt ‘suoizisod 41843 
yo sjuaWiadINbad au? |/e ||!4/Ny JOU OP OUM saaAojdwa 104 


“suol}Isod 4194} 40 SaAlzoalqo ay} 40 SOW Jeet PUe 
sjuawadinbad jeiauab ay} $O SOW |[1}/N} OUM saaAo|dwe 104 


‘yauuew Ajoz0e4s17eS 


AIGVLdaOOVNN x 


°378V1d3990V 


‘AYOLOWASILVS 


Ajaya|dwod e u! suo!}Isod 41184} 4O SaAlzoalgo au} {|e 38a 
pue sjuewasinba. jesouabh oy {je ||1¥]/Ny OUM saaAo|dwa 104 


‘uolyisod 1184} 40 saaizoafqo ysOW pue sjuawaiinbas Jofew 
ay} 40 JSOW paadxe AjjeljuRIsqns OUM saaAo|dwa 104 


‘gasBap |euoiydaoxe ue O} suolzisod 41ay} 40 saaizoaqo pue 
s}uaWasInba au} |]/@ paedXxe Aj}Ua}s|SUOS Aayl ‘SuolzeAsasas 
OU aJe a1ay} BUBWOJJed asoyM inode saaAo|dwa 104 


ee 


YaSIVUddV SHL JO SODNVGINS 


ee 


FHL HOS SAINODSLVO IVSIV Edd 


‘AYOLOVASILVS 
A11N4 


‘YOIYadNS 


“ONIGNVLSLNO » 


ee UE ee 


JH1L 4O NOlLdiHdS30 Ja1ua V SI SNIMO1104 SHL 


z Sg Services Canada Services Canada 


Bureau des services 
de verification 


Audit Services 
Bureau 


PERSONNEL MANAGEMENT 


CONFIDENTIAL 
(when completed) 


GESTION DU PERSONNEL 
CONFIDENTIEL 


(une fois rempli) 


T.A.40 


5 ASSIGNMENT PERFORMANCE REVIEW REPORT 
RAPPORT D'EVALUATION DU RENODEMENT DANS LE CADRE D'AFFECTATIONS 


INSTRUCTIONS F ; DE D’EMPLOI: ; 5 
Roe te ee REPORT 1S TO B s aseo ON THE AUDITOR'S PERFORMANCE ON THE SPECIFIC PER APRERY Bot RAPP DOIT FAIRE ETAT DU RENDEMENT DEMONTRE PAR LE VERIFICATEUR AU 


ASSIGNMENT(S) NOTEO BELOW. ALL SECTIONS ARE TO BE SUPPORTED BY NARRA- COURS DE LA OU DES AFFECTATIONS INDIQUEES PLUS BAS. VOUS DEVEZ FOURNIR 
DEs Pere DETAILLES POUR CHAQUE SECTION ET LES DISCUTER AVEC 


TIVE COMMENTS. THE REVIEW SHOULD BE DISCUSSED WITH THE AUDITOR. 


L'INTERESS 


AUDITOR — VERIFICATEUR 


DIVISION OR REGION — DIVISION OU REGION 


CLASSIFICATION 


ASSIGNMENT(S) — AFFECTATION(S) 


NMENT DURATION — DUREE DE L’AFFECTATION 


JOB KNOWLEDGE: 

DID THE AUDITOR DEMONSTRATE THE REQUIRED KNOWLEDGE OF AUDITING THEORY, 
METHODS. TECHNIQUES, INTERNAL CONTROL, ACCOUNTING, BUREAU MANUALS, 
COMPUTER AND STATISTICAL SKILLS, ETC? 


DID THE AUDITOR RECOGNIZE SIGNIFICANT AUDIT **FACTS'' AND DIFFERENTIATE 
BETWEEN MATERIAL AND NON-MATERIAL ITEMS IN CONDUCTING THE AUDIT? 


DID THE AUDITOR OBTAIN SUFFICIENT COMPETENT AND RELEVANT EVIDENCE TO 
PROVIDE A REASONABLE BASIS FOR HIS OPINIONS, CONCLUSIONS, JUDGEMENTS 
AND RECOMMENDATIONS? 


CONNAISSANCE DU TRAVAIL: a 
LE VERIFICATEUR A FOURNI LAPREUVE QU'IL POSSEDAIT LES CONNAIS- 
"EG 


SANCES REQUISES AL ARD DES PRINCIPES, DES METHOOES ET OES TECH- 
NIQUES, DES SYSTEMES DE CONTROLE INTERNE ET DE COMPTABILITE, DES 
GUIDES DU BUREAU, DE L'INFORMATIQUE, DES STATISTIQUES, ETC.” 


LE VERIFICATEUR A-T-IL ETE CAPABLE D'IDENTIFIER LES ELEMENTS DE VERI- 
FICATION APPROPRIES ET DE DIFFERENCIER, AU COURS DE SON TRAVAIL, LES 
POSTES PERTINENTS DE CEUX QU! NE L'ETAIENT PAS? 


LE VERIFICATEUR A-T-IL RECUEILL! SUFFISAMMENT DE PREUVES SOLIDES ET 
APPROPRIEES POUR ETAYER, DE FASON RAISONNABLE, SES OPINIONS, CONCLU- 
SIONS, JUGEMENTS ET RECOMMANDAT IONS” 


QUALITY OF WORK: 
WAS, THE AUDITOR'S COMPLETED ASSIGNMENT SATISFACTORY IN TERMS OF 
ACCURACY, APPLICATION OF POLICY AND PRINCIPLES, PREPARATION OF REQUI- 
SITE DOCUMENTS, CONSISTENT AND IMPARTIAL TREATMENY OF CLIENTS, ETC.? 


QUANTITY OF WORK: QUANTITE DE TRAVAIL: 


DIO THE AUDITOR COMPLETE THE ASSIGNED TASKS IN AS THOROUGH A MANNER 
AS POSSIBLE UNDER THE TIME CONSTRAINTS (1.€. OID WE COVER ALL ANGLES 
AND PROVIDE ALL THE REQUIRED DOCUMENTS, ETC.)? 


ABILITY TO: APTITUDES A: 


ANALYSE AND EVALUATE: 
DID THE AUDITOR USE GOOD JUDGEMENT IN THE CHOICE OF AND APPLICATION 
OF APPROPRIATE TESTS AND PROCEDURES? 


DID THE AUDITOR DEMONSTRATE AN ALERTNESS TO SITUATIONS OR TRANSAC- 
TIONS THAT COULD INDICATE POSSISLE FRAUD, IMPROPER OR ILLEGAL EXPEN- 
DITURES OR OPERATIONS, IWEFFICIENCY, WASTE OR LACK OF EFFECTIVENESS? 


OID THE AUDITOR CAREFULLY ANALYSE AUDIT FACTS AND MAKE THE BEST 
RECOMMENDATIONS POSSIBLE IN THE CIRCUMSTANCES? 


eee 


PLAN: 

OID THE AUDITOR ENGAGE IM ACTIVITIES WHICH WERE NOY ESSENTIAL TO MEET 
THE OBJECTIVES OF THE ASSIGNMENT (1.€. THE PREPARATION OF UNNECESSARY 
WORKING PAPERS, ETC.)? 


DID THE AUDITOR DEVELOP A SYSTEMATIC PROGRAM OF ACTION TO ACHIEVE THE 
OBJECTIVES OF THE ASSIGNMENT (I.E. DID HE DEMONSTRATE AN UNDERSTANDING 
OF THE TOTAL OPERATION, INCLUDING OBJECTIVES, REQUIREMENTS AND 
PROBLEMS)? 


QUALITE DU TRAVAIL: ae: 
LA TACHE OU VERIFICATEUR UNE FOIS TERMINEE ETAIT-ELLE SATISFAISANTE EN 
TERMES DE PRECISION, D’APPLICATION DES POLITIQUES ET DES PRINCIPES, DE 
PREPARATION DES DOCUMENTS NECESSAIRES, DE RAPPORTS SUIVIS ET IMPAR- 
TIAUX AVEC LES CLIENTS? 


E VERIFICATEUR A-T-'L ACHEVE COMPLETEMENT LES TACHES QUI LUI AVAIENT 
TE CONFIEES, COMPTE TENU DES CONTRAINTES DE TEMPS (PAR EXEMPLE, a-T- 
iL ETUDIE TOUS LES ASPECTS DE LA TACHE ET FOURNI TOUS LES DOCUMENTS 
NECESSAIRES, ETC.)? 


ANALYSER ET EVALUER: | : 
LE VERIFICATEUR A-T-1L DEMONTRE UN "ON JUGEMENT DANS LE CHOIX ET L'AP- 
PLICATION DES CONTROLES ET DES MODALITES aPPROUVES? 


LE VERIFICATEUR S'EST-IL MONTRE PERSPICACE ET HABILE A DECELER LES 
SITUATIONS OU LES TRANSACTIONS LOUCHES IMPLIQUANT PEUT-ETRE DES 
FRAUDES, DES,DEPENSES OU DES ACTIVITES INAPPROPRIEES OU ILLEGALES, DES 
PERTES DUES A UNE MAUVAISE EXPLOITATION OU A UN MANQUE D'EFFICACITE? 


LE VERIFICATEUR A-T-IL ANALYSE AVEC ASSEZ DE SOIN LES ELEMENTS A VERI- 
FIER ET, EN REGARD DES CIRCONSTANCES, A-T-IL PRESENTE LES MEILLEURES 
RECOMMANDATIONS POSSIBLES? 


PLANIFIER: z 
LE VERIFICATEUR S‘EST-IL DISPERSE DANS CES ACTIVITES NON ESSENTIELLES 


A LA REALISATION DES OBJECTIFS DE SA TACHE (PAR EXEMPLE, LA REDACTION 
DE DOCUMENTS DE TRAVAIL INUTILES, ETC.)? 


‘ 
LE VERIFICATEUR S'EST-IL ELABORE UN PROGRAMME SYSTEMATIQUE D'ACTION 
POUR REALISER LES OBJECTIFS DE SA TRCHE (PAR EXEMPLE, A-T-IL DEMONTRE 
QU'IL COMPRENAIT BIEN LE CYCLE DE LA VERIFICATION, Y COMPRIS LES OB- 
JECTIFS, LES EXIGENCES ET LES DIFFICULTES)? 


aa 


ORGANIZE: ORGANISER: 


DID THE AUDITOR PROVIDE AND STRUCTURE THE MATERIAL AND PERSONNEL LE VERIFICATEUR A-T-IL FAIT APPEL AU PERSONNEL ET OBTENU LE MATERIEL 
REQUIRED TO PERFORM THE ASSIGNED TASK? NECESSAIRES A L'ACCOMPLISSEMENT DE SA TACHE? 

GACH Al 
DID THE AUDITOR EFFECTIVELY UTILIZE THESE WORK RESOURCES? LE VERIFICATEUR A-T-IL UTILISE DE FACON EFFICACE LES RESSOURCES MISES d 


SA DISPOSITION? 


CONTROL: CONTROLER: i 

O10 THE AUDITOR MEET TIME TARGETS OM THE ASSIGNED TASK? LE VERIFICATEUR A-T-IL RESPECTE LES ECHEANCES FIXEES? 

DID THE AUDITOR ATTAIN AUDIT OBJECTIVES WITHIN A MINIMUM OF DIRECTION LE VERIFICATEUR A-T-IL REUSSI A ATTEINDRE LES OBJECTIFS DE LA VERIFICA- 
AND GUIDANCE? TION EN N'AYANT QUE TRES PEU RECOURS AUX DIRECTIVES ET AUX CONSEILS 


DE SES SUPERIEURS? 


DID THE AUDITOWK MAINTAIN SUFFICIENT INDEPENDENCE SO THAT HIS OPINIONS. LE VERIFICATEUR A-T-IL SU DEMEURER ASSEZ INDEPENDANT PCUR QUE SES 
CONCLUSIONS, JUDGEMENTS AND RECOMMENDATIONS WERE IMPARTIAL? OPINIONS , CONCLUSIONS, JUGEMENTS ET RECOMMANDATIONS AIENT UN CARAC- 
TERE D’IMPARTIALITE? 


DID THE AUDITOR KEEP THE ASSIGNMENT ON SCHEDULE AND IN CONFORMITY TO LE VERIFICATEUR A-T-IL RESPECTE LES ECHEANCES, REGLEMENTS, PROCEDURES 

THE REGULATIONS, APPROVED PROCEDURES AND GUIDELINES EXPECTED? ET DIRECTIVES APPROUVES? 

DIRECT: DIRIGER: . . 

O10 THE AUDITOR PROVIDE LEADERSHIP AND GUIDANCE TO STAFF AND/OR TO LE VERIFICATEUR A-T-I1L MANIFESTE DES APTITUDES A DIRIGER ET & CONSEILLER 

PEERS IN A SPECIALIST OR ADVISORY ROLE (I.E. DID HE GAIN ACCEPTANCE OF LE PERSONNEL ET(OU) SES COLLEGUES LORSQU'ON LU! A CONFIE UN TRAVAIL 

HIS MOVICE THROUGH THE DEVELOPMENT OF CONFIDENCE IN HIS SERVICES)? prec neee OU QU'ON LUI A FAIT JOUFR LE ROLE DE CONSEILLER (A-T-1L REUSS! 
FAIRE ACCEPTER SES CONSEILS GRACE A LA CONFIANCE QU'IL A SU INSPIRER)? 


COMMUNICATE: COMMUNIQUER: 5 ; 
WERE THE AUDITOR'S WORKING PAPERS COMPLETE ACCURATE. CLEAR, LES DOCUMENTS DE TRAVAIL DU VERIFICATEUR ETAIENT-ILS COMPLETS, PRECIS 
UNDERSTANDABLE. LEGIBLE AND NEAT? CLAIRS FACILES } COMPRENDRE, LISIBLES ET PROPRES? 

DID THE AUDITOR SUBMIT A FINAL REPORT WHICH DID NOT REQUIRE MATERIAL LE ver IFICATEUR A-T-IL PRESENTE UN RAPPORT FINAL QU’ON N'A PAS EU 
CHK ANGE IN FACT OR CONTENT? BESOIN, PAR LA SUITE. DE RETOUCHER QUANT AU FOND OU A LA FORME? 

DIO THE AUDITOR COMMUNICATE WELL BOTH ORALLY AND IN WRITTEN FORM IN LE VERIFICATEUR A-T-IL REUSS|I A S'EXPRIMER FACILEMENT, ORALEMENT ET 
THE CONDUCT OF THE ASSIGNED TASK? PAR ECRIT. AU COURS DE Sa TACHE? 

CREATE AND INNOVATE: CREER ET INNOVER: 

DID THE AUDITOR HAVE OCCASION TO DEVELOP AN IMPROVEMENT IN PRODUCTI- LE VERIFICATEUR A-T-IL EU L'OCCASION AU COURS DE SES AFFECTATIONS 
VITY, TECHNIQUE OR PRACTICE BY MODIFYING PROCEDURES OR OTHERWISE D’AMELIORER SA PRODUCTIVITE. SES TECHNIQUES OU PRATIQUES DE TRAVAIL, 
INNOVATING IN THE PERFORMANCE OF THE ASSIGNED TASK? EN MODIFIANT LUI-MEME SES METHODES OU EN ELABORANT DE NOUVELLES 


FASONS DE PROCEDER? 


POTENTIAL FOR EFFECTIVENESS: POSSIBILITES DE RENDEMENT: 

DID THE AUDITOR MAINTAIN EFFECTIVE RELATIONS WITH FELLOW STAFF LE VERIFICATEUR A-T-H ENTRETENU DES RELATIONS DE TRAVAIL UTILES AVEC 
MEMBERS AND AUDITOR STAFF? SES COLLEGUES ET LE PERSONNEL DE VERIFICATION? 

OVERALL ASSESSMENT OF ASSIGNMENT(S) = COMMENTS APPRECIATION GENERALE DE LA OU DES AFFECT ATIONS - 


COMMENT AIRES 


SIGNATURE OF AUDITOR SIGNATURE OF AUDITOR IN CHARGE SIGNATURE OF MANAGER 
SIGNATURE OU VERIFICATEUR SIGNATURE DU VERIFICATEUR CHARGE DE L'AFFECTATION’ SIGNATURE DU DIRECTEUR 


OSS 10 (3/73) 


Soma 


. 
fr. ie . 


ar lay aa ay ay “Taree aa a ae etn Sat ge 


- = 
ry 7 J 
; 
. Yr © uhh «o. @ 6- =a . Ue A -Sme th > 
ad ‘ ~ gu ceea! FS ho ee tl at a ye 
me 
— - —— i > —_— — — me ——<— —— 
im = — 
i A otha a> et T eae om @7 a. }*° 
j » A = & © iae® & : J a ~e @ # 
‘ us 7 *% & D4 ee G TY ee eee ed 
, 
{ 
; - - ey = a a — oa ma 
1 : ae 9 Ore ~~. ew, § @ 
; a ; 5 7 es b 2 wy 2) wa 
’ 


e a A! sath g 7 S- ewe Ora a a & 
prt pea m. me ~ “+ 
va 
: _ . 
' , ” ‘ ‘ * | ots AG pe IU ai) 7a oe 
" od > += fu 1 ybe Sue © ~'e_e@ 
—s— A> = — 
: cy 7 I 7 ae © ere 
' e  % 4>-46 oo vi a ee) of 
pe da ss , ~ ew ‘s oe - abl é fo 
-< al ‘ a ue ie 9 aA ia = yin © 3 y : = 
: i.e a ‘& s 
. 7 = — 
“= : ia ede rep. =e + aa 
, Are ou 
7 «4 : és'1ra'? Bes ©@01¢@ wabiyid = = ae yds as * 
7 Ds aa re | wee ot 


pus “ff ae 


Internal Audit Handbook 
Volume I, Appendix B 
Internal Audit Manual - Table of Contents Bel 


APPENDIX B 


INTERNAL AUDIT MANUAL - TABLE OF CONTENTS 


VolumelI_- General 


Chapter | Introduction 


- Purpose of Manual 


- Use of the Manual 


Chapter 2 Summary of the Internal Audit Standards (23 standards) 


Chapter 3 Mandate 


(Mandate/Policy/Departmental! Directive or equivalent; introduced 


and/or signed by the head of the department/agency). 
Chapter 4 Audit Ethics 

(The IIA "Ethics" could be included here) 
Chapter 5 Description of the Department/Agency 
Chapter 5 Internal Audit Organization 

- Organization chart 

- Position descriptions 

- Delegation document(s) 

- Audit Committee 


- Relations with other organizations 
- Ete; 


Internal Audit Handbook 


Volume I, Appendix B 


Internal Audit Manual - Table of Contents BRBaZ 


Chapter 7 Internal Audit Systems and Procedures 


(a) 


(b) 


Planning 


- Environment Assessment (Including definition of the 
audit universe) 

- Strategic and Long-Term planning 

- Current-year planning 

- Resource Planning - Budget 
- Human Resource planning 
- Other (travel, contract, 

supplies, etc.) 
- MBO System (where used) 


Office Administration 


~ Resource acquisition - staffing 
- supplies 
- contracting 
~ space 
- furniture 
- library 
= etc. 
~ Filing System 
~ Security 
- Reference Library 
~ Copying Machine 
- Word Processing 
- Attendance (working hours, leave, etc.) 
= Ete: 


Internal Audit Handbook 
Volume I, Appendix B 
Internal Audit Manual - Table of Contents 1.Be3 


Chapter $ 


Volume II - 


Chapter 1 


(c) Control Systems 


- Project/Assignment control 

- Time sheet system 

- Commitment control 

- Financial reporting 

- Directorate Performance reporting on accomplishments 
vs objectives effectiveness, efficiency, economy; 
monthly/quarterly/annually 

- MBO Reporting (where used) 

- Performance Appraisal System (assignment and yearly) 

- Etc. 


Training Material 


~ Orientation Training 
- Other 


Auditing 


The Audit Process 


- Auditee Relations 

- Assignment Planning 
- Review 

- Evaluation 

- Verification 

- Reporting 


- Follow-up 


Internal Audit Handbook 
Volume I, Appendix B 
Internal Audit Manual - Table of Contents I.B.4 


Chapter 2 Assignment Administration 
- Team organization 
- Preparation for fieldwork 
- Working Paper Files/Permanent Files 


- Supervision 


Chapter 3 Audit Theory & Techniques 
(See Internal Audit Handbook, Volumes I & II) 


Volume III - Audit Guide Programs 


a) | Generic Guide for Development of Guides/Programs 


b) | Generic Guidelines (Developed by IACIA Working Groups) 


c) Departmental Guides/programs (Unique to the department or agency) 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes Bory! 


RISK DETERMINATION FOR INTERNAL AUDIT 
PLANNING PURPOSES 


Introduction 


In Chapter Three the basis for determining frequency and order of audit was a set 


of ranking criteria abstracted from the Standards for Internal Audit (see Table 1). 


In his 1978 Report, the Auditor General suggested that internal auditors consider 
"materiality, importance to management and degree of risk, or opportunity" as 


criteria for assessing potential audit units. 


Internationally, organizations such as the Swedish National Audit Bureau, which has 
an extremely broad mandate including "effectiveness audit", attempts to consider 
each entity by subjectively evaluating those entities in the universe in terms of 
their relative desirability for audit. It is apparent that such criteria are difficult 


to reduce to monetary or quantitative terms. 


In the private sector and some "production" oriented government agencies it has 
been possible to reduce the various goals of audit to a single monetary measure 
using either a value added approach or the application of quantitative techniques 


such as expected value analysis. 


In the public sector, because of the diverse nature of entities subject to audit and 
the lack of rigorous choice criteria, the problem of what process to use in ranking 
audit units remains largely unresolved. A few attempts have been made to deal 
with this problem quantitatively. These range in sophistication and complexity 
from a prioritization model based on utility theory to simple scoring models which 
usually consist of identifying the more significant criteria, assigning each criterion 
in each entity a score, weighting these scores and then summing for an overall 
entity score. The score and weights in these models are seldom rigorously defined 
or validated, however, to the degree that they reflect an organizations preference 


criteria they have at least local value for a specific time period. 


Internal Audit Handbook 
Volume I, Appendix C, 


Risk Determination for Internal 


Audit Planning Purposes 


(a) 


(b) 


(c) 


(d) 


(e) 


(f) 


(g) 


CRITERIA 


size 


risk 


major changes 


previous 
internal audits 


work of other 
auditors or 
consultants 


concerns and 
needs of senior 
management 


special 
considerations 


I.C.2 


Table 1 


Table of Significance Criteria 


DETERMINENTS 


usually determined by 
revenue generated 
expenditures made 
assets controlled 
person years 


risk is a function of 
the extent and reliability of the control 
system 
the vulnerability to loss 
the vulnerability to criticism through poor 
products and services 

: political sensitivity 


major changes in systems or organization 
the implementation of new systems 


: the establishment of new organizations 
: changes in key personnel 
dates 


: findings and recommendations 
the extent of follow-up and corrective 
action by management 
(The discovery of major deficiencies in one unit 
may necessitate audits of similar units.) 


The reports and audit plans of 
the Auditor General 
the Comptroller General 
Treasury Board 

: other evaluation groups 

“ consultants 


; Have priorities been identified by senior 
management? 
Has senior management made a specific 
request for an audit to be done? 


provision for other criteria which may have an 
impact on the ranking process. 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes Ee. 


All these problems notwithstanding, the fact remains that audit units must be ranked 
in some order of priority. Whether they choose to do so on a completely subjective 
basis or through a more objective approach, departments will have to develop and 
adopt priority setting models appropriate to their environment by using some 
combination of the above-mentioned ranking criteria, appropriately weighted according 
to their importance, if they are to produce acceptable audit plans. The major strength 
of a prioritization model is that it makes explicit management's decision-making 
criteria. In the absence of a generally accepted and scientifically rigorous quanti- 
tative system, a simple judgmental model incorporating some or all of the criteria 
listed in Table | can be used to advantage. An attribute scoring system may be 

used as an added feature for ranking audit units sufficiently homogeneous to make 

this approach meaningful. In any case, a systematic priority setting process would 


serve to improve the degree of consistency in the selection and planning of audits. 


In the interest of providing further input for consideration in deciding on the criteria 
to be used for development of manageable audit units and reporting units, determi- 
nation of frequency of audit and for determining the order in which audit units 
should be scheduled a ranking methodology, based on risk assessment, is presented 


in the following sections. 
Risk as a Decision Criterion 


The Standards state that in identifying manageable audit units "The audit units 
should be established in such a way as to provide a basis for effectively planning, 
controlling and executing the audit work. An audit unit is a potential assignment 
of manageable size, but of such scope and nature that, if audited with due care, it 


will produce significant and meaningful information for management." 


In deciding on which potential audit universe elements should be absorbed into the 
audit plan, and in what form, three related decisions need to be made. The first is 
which audit universe elements, or groups of elements, deserve audit attention, i.e. 
are entities that when reported on "...will produce significant and meaningful infor- 
mation for management". The second is a decision on how to package audit universe 


elements, or groups of elements, that have been identified as worthy of inclusion in 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes 1.C.4 


the audit plan into audit assignments that are manageable (Manageable audit units). 
The third decision is, in what order should the manageable audit units be audited 


and/or how frequently. 


To make the decisions discussed above we have to first decide on the criteria 

to be used. The second decision depends heavily on the audit manager's (planner's) 
experience in audit assignment management and on the quality and quantity of 
audit resources available for deployment. In cases where the audit universe is 
being defined and given audit coverage for the first time it may be desirable to 
experiment with a variety of forms of manageable audit unit and/or to consult with 


other audit managers in the internal audit community. 


The first and third decisions may be made on the basis of the same criteria, namely 
risk. The essence of control activity in general is risk avoidance. That is, either 
avoiding, or minimizing deviations in actual performance from desired (planned) 
performance. Since internal auditing is primarily a control activity, performed on 


behalf of management, its primary aim is also risk avoidance. 


The next step then is to define risk in sufficiently complete and inclusive terms 
that identification of the potential risk associated with any audit universe element 


will be facilitated. 


Before launching into a detailed discussion of risk, two caveats need to be stated. 
First, we continue to subscribe to the statement in the Standards that "There is no 
standard model for identifying audit units, nor is it practical to attempt to develop 
one for application on a government-wide basis, because of the varying nature of 
departmental operations". Therefore, what follows should be treated not as a standard 
model, but as one possible framework which may be helpful in making explicit and 
evaluating the basis and dimensions of what will inevitably be judgemental decisions. 
Second, although in what follows a more structured approach to making the planning 
decisions involved will be advocated, this does not imply the belief that those 
decisions can be converted into a routinized, dollarization process, as is advocated 
in some internal audit planning models!. The reason that dollarization is not an 


adequate concept, at least for the public sector environment is that the purpose of 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes 1.C.5 


public sector organizations is not usually strictly economic. The mandate of most 
public sector organizations includes economic and/or social goals, although these 


are generally accomplished through the use of public funds (i.e. economic means). 


The process leading to decisions on which audit universe elements deserve attention 
within the next planning cycle, and in what order they should receive this attention, 
consists of two basic steps. These are the identification of risk potential and arriving 


at a consensus (between audit managers and with senior management). 


Identification of risk potential 


In identifying risk potential there are several ways in which the term risk can be 
characterized and broken down (disaggregated) into its components which could aid 
in the identification of the source of the risk, its nature and its materiality/signi- 
ficance. ? Saat 

Those approaches reviewed all have shortcomings, either in terms of completeness 
or because they are not mutually exclusive, or both. Completeness is necessary so 
that all situations having risk potential are capable of being identified; in order to 
prevent double counting mutual exclusivity is mandatory in the aggregation of risk 


indicators. 


In what follows an attempt is made to build upon those approaches provided in 


internal audit literature, while avoiding their weaknesses. 


ils Quantitative Measurement of the Audit Universe and the Related Audit Effort 

- An Operating System; A research project of the International Research 

Committee, The Institute of Internal Auditors, Inc. 

A Framework For Evaluating Internal Audit Risk; IIA, Inc. 

Audit Project Evaluation Methodology; O. Ronald Gray; IIA Journal, June/83. 

: Planning For the Internal Audit Function; J. Efrim Boritz, The Institute of 
Internal Auditors Research Foundation. 


Se 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes G26 


To start with, it is proposed that any index or indicator of risk, regardless of the 
level of disaggregation, be a function of two parameters; amount/significance, and 
probability/likelihood of occurrence. (From now on these will be referred to as 
significance and probability.) These two parameters may be combined to give a 
risk indicator in terms of "expected risk". Sources of information which could help 
in deciding on what subjective probability to assign each risk component chosen, 


are shown in Table 2. 


A model showing possible levels of disaggregation of the significance parameter 
associated with the term risk, into its components, is shown in Figure 1. For each 
relevant component, at any chosen level, the values of the two parameters (signifi- 
cance, probability) would be assigned and then divided by the maximum possible 
score (i.e. normalized). The normalization is necessary in order that the indicators 
be capable of being compared for ranking purposes, regardless of the number of 


components chosen to represent the risk potential of the given audit unit. 


Some illustrative examples, employing the proposed model at different levels of 


sophistication may help to demonstrate its use. 


In the simplest case, the audit universe elements are grouped into manageable 

audit units using judgement, based on past audit experience. Then they are intuitively 
ranked as to importance to management by using a combination of one or more of 

the list of risk criteria shown on the left hand side of Table 3. This list is then used 
to determine the frequency of audit of the manageable audit units and the order in 


which they will be audited in any one year. 


This approach has already been demonstrated by an example in Chapter Three. 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes 1.C27 


Table 2 


Sources of Risk Information 


iN Managerial concerns 


23 Past history 


Be Previous audits 


4,  MIS/variance reports 
De Other, performance oriented reports 
6. Environmental data indicating risk probability 


Although this approach can be used successfully in relatively small departments 

and agencies it becomes progressively more arbitrary and suspect as the portfolio 

of audit universe elements grows. Also, this approach tends to delay the introduction 
of management concerns until the ranking phase of the planning process whereas it 

is preferable to introduce these concerns at an earlier stage, when audit universe 


elements are being combined into manageable audit units and reporting units. 


Some large departments have attempted to introduce management concerns earlier, 
and to assign scales to the individual risk components and aggregate the results. 
They use weighting factors, to make the risk identification process more explicit 
and to avoid the arbitrariness and other potential weaknesses of the previously 
described approach. This approach could be an improvement if care is used to 
prevent double counting of factors which are not mutually exclusive, weighting 
factors are carefully chosen and validated, and the same risk components are used 


for each manageable audit unit. These are severe constraints, seldom adhered to. 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes LGs 


An approach which attempts to avoid the pitfalls of other methods is based upon 


the following model: 


a) 


A "Significance Components" model (Figure 1) which allows for identifi- 
cation of risk in terms of "significance" at five levels of disaggregation. 
The level chosen by the planner will depend on the planner's approach to 
planning (structured, unstructured) and on the complexity of the organiza- 
tion being planned for. This model is reconciled with the ranking criteria 
provided in the Standards in Table 3. Each potential risk component 
consists of two parameters; significance (from Figure 1) and probability. 
Potential risk in this case is represented by the mathematical term, 
"expected risk", which is the product of significance and probability of 


occurrence. 


It is proposed that scales be provided for the significance parameter of 
each risk component used, and that the numerical values assigned be 
normalized for each audit unit to facilitate ranking. This results in a 
significance index. (See Table 4 for an example of risk scales and Table 5 
for an example of a normalization procedure.) The significance scales 
may be of two types, one based on quantitative data (illustrated in the 
following pages) and the other based on conviction (e.g. a scale of | to 5 
with "1" indicating very low level of risk and "5" indicating a very high 
level of risk). 


Once the significance indices have been assigned, the next step is to 
assign probabilities to each risk component. (See Table 6 for sources of 


relevant information.) 


Finally the combined Potential Risk factors (Expected risk = Significance 
x Probability) are normalized for each audit unit. This results in a 
Potential Risk Index. (See Table 7 for an illustration.) The proposed 


use of the significance and potential risk indices is as follows: 


Utilize significance indices for determining manageable audit 


units/reporting units that are significant to management, and for 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes I.C.9 


determining frequency of audit. (Refer to Chapter Three for 
elaboration of these two processes); and 


b) Utilize the potential risk indices for determining the order in which 


audit units should be audited. 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal . 
Audit Planning Purposes EGA10 


SIGNIFICANCE COMPONENTS 
(Five levels of disaggregation) 


Significance 
(1) 
Economic Significance Social Significance 
(200)) (22) 
Grantes Intended Unintended C 
Capital Operating Co patie Output not Output 
(3,1) (3, 2) : a aan Achieved Achieved 
f (3, 4) (3, 5) 
Direct Support 
(4,1) (4, 2) 
$'s $'s PY's $s PY’s $'s 

(5,1) (5, 2) (5, 3) (5,4) (5, 5) (5, 6) 


Note: Expected Risk = SXP where: 
S = Significance 
P = Probability 


Figure 1 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes Loli 


Table 3 


Reconciliation with Ranking Criteria shown in the Standards and the structure as 


displayed in Figure 1. 


Ranking Criteria 


(Standards) Risk Component 
l. Size = Level 5; $, PY's 
Z. Risk of Loss - Risk Component (Significance, Probabili: 


(All levels) 


3; Special Considerations - Level 4; 
a) Intended Output Not Achieved 


b) Unintended Output Achieved 


4, Major Changes - Risk Component (Significance, Probabilit 
(All levels) 


5. Previous Internal Audits ~ All Components 
6. Work performed by other Auditors - All Components 
7. Known Desires of Management - All Components 
Note: 5, 6, 7 are sources of criteria rather than criteria in themselves 


(see Table 2 for other sources). 


Internal Audit Handbook 
Volume I, Appendix C, 

Risk Determination for Internal 
Audit Planning Purposes 


Table 4 


Scales for Potential Risk Components 


Potential Actual 
Risk Parameter 
Scale Component Values 
1 (551) (6,2), (6,59) Sa6,6) below $100,000 


$100,000 - $299,000 
$300,000 - $499,000 
$500,000 - $999,000 
$1,000,000 and above 


2 (553) 35) Less than 3 
3-5 
6-9 
10 - 19 


over 20 


Significance: 
3 (354) KOs.) Low 


Medium 


High 


Assigned 
Scale 


Values 


Mm FF WY NHN Se ese WSS 


Wy ese SS) DS == 


(1-5) 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes Leste 


Table 5 


Normalization Procedure 


Managable 
Audit Risk Normalized 
Unit Components Significance Value 
(Level, Component)! (Scale 1-5) 
1 Out) 4 
(65:2) 2 
Aggregate: 6/10 
Normalized: 0.60 
iz (4,3) 2 
Aggregate: 215 
Normalized: 0.40 
3 332 5 
BIAS) 3 
4,4 Z 
Aggregate: 10/15 
Normalized: 0.67 
Significance Ranking Table of MAU's 
Significance 
MAU Index Rank 
3 0.67 i 
1 0.60 Z 
2 0.40 3 
Notes 
l From Table | 
Z Ties may be broken in three ways: 


Js Judgemental pair comparison 
Ze Adding risk factors for the tied units 


3: Refining assignment of parameter values 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes 1.C.14 


Table 6 


Sources of Information for Probability Determination 


1. | Managers (Interviews) 


Ze Management Information System reports 


3. | Operating Information System reports (e.g. Quality Assurance, Inspection) 


4, Management Services'/consultant's reports 


5. Internal Audit reports 


6. Internal Audit Permanent Files 


Te External Audit reports 


8. Central Agency review reports 


9. Program Evaluation reports 


10. Reports on environmental problems/threats 


Internal Audit Handbook 
Volume I, Appendix C, 


Risk Determination for Internal 


Audit Planning Purposes 


Table 7 


Normalization Procedure 


bs Gir bs) 


Managable 
Audit Risk Normalized 
Unit Components Significance Probability Expected Risk Value 
(Level, Component)! (Scale 1-5) 
1 (551) 4 re 2 
(552) 2 5 1 
Aggregate: 3710 
Normalized: 3-4 10 = 0.30 
2 (4,3) 2 oT, eh 
Aggregate: 1.6/5 
Normalized: as! ee 0.28 
3 352 5 1.0 5 
Shs) 3 Oxy Pass | 
4,4 Z 0.8 1.6 
Aggregate: S.7/19 
Normalized: S27 315 = 0.58 
Potential Risk Ranking Table of MAU's 
Potential 
Risk, 
MAU Index Rank (Order) 
3 0.58 1 
| 0230 2 
2 0.28 3 
Notes 
1 From Table 1 
2 Ties may be broken in three ways: 


1, Judgemental pair comparison 


2. Adding risk factors for the tied units 


2) Refining assignment of parameter values 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal (< 
Audit Planning Purposes Lea6 


An illustrative example should help to explain how the proposed model would work. 
Suppose that the potential manageable audit unit under review, for inclusion in our 
plan, is the Budgets Division of the Financial Administration Branch (MAU No. 4), 
with a budget of $600,000 and 9 person-years (Table 8). Suppose further that it has 
been decided that the significance parameter scale is: between | and 5 depending 
on whether the budget of the potential manageable audit unit is below $100,000, 
between $100,000 and $299,000, between $300,000 and $499,000, between $500,000 
and $999,000 and $1,000,000 and above; between | and 5, depending on whether the 
person-years count is less than 3, between 3 and 5, between 6 and 9, between 10 
and 19 and 20 or above; and, between | and 5, depending on whether the unit is 
considered a potentially low, intermediate or high risk area. (See Table 4 for a 


summary of these scales.) 


If we now enter the risk disaggregation tree, on Figure | at level 5 we have two 
components under support (4,2), namely budget $'s (5,4) and PY's (5,5) which are 
relevant. Using our scales for budgets and PY's (Table 3) we can assign values to 

the significance parameter as follows: 4 for budget and 3 for PY's (see Table 8 for 
asummary). This gives a normalized significance value (index) of .70. If we now 
assume a probability of occurrence of 0.70 for each risk component we obtain a 
normalized potential risk value for MAU No. 4 of (2.8 + 2.1) + 10 = 0.49. Taking 

this normalized value and comparing it to MAU's no. |, 2 and 3 in Table 7 it is readily 
seen that MAU No. 4 would rank 2nd after MAU 3 and ahead of MAU's no. | and 2. 


Referring to Chapter Three, it is evident that the significance parameter (with 
suitable thresholds) may be used as a criteria for determining reporting units and 
frequency since it is equivalent to the risk/significance index used there. On the 
other hand, the normalized, expected potential risk parameter is more appropriate 


for determining the order in which audit units should be scheduled. 


Arriving at a Consensus 


Arriving at a consensus is a form of validation of the decisions made as to the risk 
potential of the various manageable audit units considered, and of the underlying 


assumptions. 


Sen 


Internal Audit Handbook 
Volume I, Appendix C, 

Risk Determination for Internal 
Audit Planning Purposes 


Table & 


Potential Risk Summary Table 


Ora ly 


Actual Parameter 
Risk Parameter Scale Expected Normalizec 
MAU Component Value Value Probability Risk Value 
No. 4; 5,4 $ 600,000 & 7 2.8 
(Budget Div., 
Financial Pe) y) 3 yf Zo 
Administration 
Branch) Aggregate 7/10 4.9/10 
Normalized TERT AO Ren OAD 42 +. 10r2 0.49 
Note 
* It would of course be easier, in this case, to simply multiply the budget 


($600,000) times the probability (.7) to get an expected risk of $420,000, 


however, this approach would not provide a means of comparing or combining 


risk component 5,4 with other non-dollar, risk components (e.g. risk component 


Dy) 


Internal Audit Handbook 

Volume I, Appendix C, 

Risk Determination for Internal 

Audit Planning Purposes VCS 


Since audit plans should reflect management's concerns, consensus should be sought 


not only among auditors but with management as well, particularly senior management. 


The consensus gathering process has inherent advantages, in that it facilitates 
better understanding and commitment on the part of both auditor and senior manage- 


ment to the audit plan. 


It also has disadvantages. It is a time-consuming process which must be continually 
tested for the possibility that the point of diminishing returns has been reached. It 
may also create more ill will than understanding and commitment, if carried too 


far. 


The process itself may be described in terms of the matrix shown in Figure 2. Four 
conditions that may arise during the process are shown, namely conditions 1, 2, 3 
and 4. 


Conditions | and 2 are straightforward, as in these cases there is agreement as to 

risk potential. Conditions 3 and 4 reflect two possible levels of disagreement. 
Condition 3 reflects agreement on facts but disagreement on criteria, or reconciliation 
of criteria and facts. This disagreement is crucial to the rest of the process because 
it is systemic, however, once resolved it clears the way for resolution of many 
disagreements through one negotiation effort, i.e. this type of disagreement has 
leverage on the whole consensus process and, therefore, is worth concentrating 

effort on doing well. It may involve reconsideration of risk components, per Figure 1, 


criteria, per Table 3, or simply subjective probability of occurrence. 


The 4th condition could be a disagreement on facts, or criteria or both. The first 
step in resolution of this type of disagreement is determination of whether criteria 
or facts are the source. If criteria then it becomes a condition 3 problem and is 
handled within that framework (per the previous paragraph). If it is simply a question 
of insufficient data then the remedy is some form of preliminary survey. In the 
worst case it may mean that a partial audit is scheduled up to and including the 
review phase before a decision is made as to the risk potential of the particular 


manageable audit unit that is the focus of the disagreement. 


ee, 


Internal Audit Handbook 
Volume I, Appendix C, 

Risk Determination for Internal 
Audit Planning Purposes 


The Consensus Gathering Process Matrice 


Agreement 

On Risk 

Potential 
Facts Parties Parties 
Required Agree Don't Agree 


for Reaching 
Consensus 


Insufficient 4 


Figure 2 


L.C.19 


ee ae | 
Siwigon vol 
maces? 


a? eee - — - = — i a einen — 
y teri’ ¢ 


nie 


ifs spate that t 


7 7 » ~~ 
—— a a a ee a ——— 
* 


so —— a pee 


ah : 


pa son Or ‘a 
ae © Sie) 1 


) 


Internal Audit Handbook 
Volume I 
Bibliography 


BIBLIOGRAPHY 


Internal Audit Handbook 


Volume I 

Bibliography ee ye | 
Bibliography 

i Anthony, Robert N. and Herzliner, Regina, "Management Control in Nonprofit 


10: 


ees 


Organizations", Richard D. Irwin, Inc., Homeword, Illinois, 1975. 


Anthony, Robert N. and Dearden, John, "Management Control Systems", 
Richard D. Irwin, Inc., 1980. 


Blake, R.R., and Monton, J.S., "The Managerial Grid", Houston, Texas: Gulf 
Publishing Company, 1964. 


Boritz, J. Efrim, "Planning for the Internal Audit Function", The Institute of 
Internal Auditors Research Foundation, The Institute of Internal Auditors, 


Inc., Altamonte Springs, Florida, 1983. 


Brink, Victor, Z., Cash, James A., Witt; Herbert; "Modern Internal Auditing", 
The Ronald Press Co., New York, N.Y., Third Edition, 1973. 


Cashin, James A., (Editorian-Chief), "Handbook for Auditors", McGraw-Hill, 
New York, N.Y., 1971. 


Dejon, William L., "Principles of Management", The Benjamin/Cummings 
Publishing Co. Inc., Don Mills, Ontario, 1978. 


Drucker, Peter F., "Management: Tasks, Responsibilities, Practices", Harper 
& Row, New York, 1974. 


Edds, John A., "Management Auditing: Concepts and Practice", Kendall!/Hunt 
Publishing Company, 1980. 


Gray, Ronald O., "Audit Project Evaluation Methodology", ITA Journal, The 


Institute of Internal Auditors, Inc., June 1983. 


Herzberg, F., Mourner, B., Peterson, R., Capwell, D., "Job Attitudes: Review 
of Research and Opinion", Pittsburgh: Psychological Services of Pittsburgh, 
19>7 


Internal Audit Handbook 


Volume I 
Bibliography 1.D.2 
12. Kasurak, P.C., "Using a Utility Model To Plan Audit in the Public Sector", 


TSE 


14, 


1D; 


16. 


ie 


18. 


oh 


20. 


7H 


Unpublished Paper, Department of National Defence, 1980. 


Kasurak, P.C., "A Proposal for a Strategy Formulation Process in DGA", 


Unpublished Paper, Department of National Defence, 1981. 


Koontz, Harold, O'Donnell, Cyril, "Essentials of Management", McGraw-Hill, 
1973. 


Maslow, Abraham, "Motivation and Personality", New York, Harper & Row 


Publishers Incorporated, 1954. 


Sawyer, Lawrence B., "The Practice of Modern Internal Auditing", The Institute 


of Internal Auditors, Inc., Altamonte Springs, Florida, 1981. 


Sinclair, Sonja, "Cordial But Not Cosy: A History of the Office of the Auditor 


General", McClelland and Stewart, Toronto, Ontario, 1979. 


The Canadian Institute of Chartered Accountants, "CICA Handbook", The 
Canadian Institute of Chartered Accountants, 250 Bloor St. E., Toronto, 


Ontario. 


The Chartered Institute of Public Finance and Accountancy, "Audit Planning 
and Control", The Chartered Institute of Public Finance and Accountancy, 
Buckingham Place, London, GBR, 1982. 


The Institute of Internal Auditors, "Quantitative Measurement of the Audit 
Universe and the Related Audit Effort - An Operating System; A Research 
Project of the International Research Committee", The Institute of Internal 


Auditors, Inc., Altamonte Springs, Florida. 


The Institute of Internal Auditors, "A Framework for Evaluating Internal 


Audit Risk", The Institute of Internal Auditors, Inc., Altamonte Springs, Florida. 


Internal Audit Handbook 
Volume I 
Bibliography 123 


22. Treasury Board of Canada; "Principles for the Management of the Public 


Service of Canada"; Treasury Board of Canada; September 1983. 


23. Treasury Board of Canada; "Standards for Internal Audit in the Government 
of Canada; Treasury Board of Canada (Office of the Comptroller General of 
Canada, Policy Development Branch); 1982. 


24. All current departmental Internal Audit Manuals were reviewed; those borrowed 
from (abstracted and/or annotated) are referenced directly (see Appendices A 
& B). 


oe, 
> 
he 
] 
+ Pr 
a 7 7 
a) s on 
¢ Pe ay, ~ t4 Deere Fre © -ia@e : a 
. 7 i - 
dh Glam he=n pee 7 ; SE wi, ( 


7 awa br Mi i 
; 7 aap i] 
(ane | : 


-) 


ar 
7 if is 


ahi (anne ay Oe ab 
re ee Le “ae ch eine 


Internal Audit Handbook 


Volume I 


Summary Of Internal Audit Standards ESE 


SUMMARY OF STANDARDS 


CHAPTER ONE - ROLE OF INTERNAL AUDIT 


l. Departments shall have an independent internal audit function that carries 


out a systematic review and appraisal of all departmental operations for 


purposes of advising management as to the efficiency, economy and effective- 


ness of internal management policies, practices and controls. 


CHAPTER TWO - SCOPE AND FREQUENCY 


Ze Scope 


The scope of internal audit shall encompass all aspects of a department's 


operations. The internal auditor assesses and expresses an opinion upon: 


a) 


b) 


c) 


d) 


e) 


The design, development, implementation, and operation of all systems, 


procedures, processes and controls, including computer-based systems; 


The reliability and adequacy of information available for decision-making 


and for accountability purposes; 


The extent to which available information is utilized in the decision- 


making process; 


The adequacy of protection afforded public funds and assets; and 


The extent of compliance with legislative, central agency and depart- 


mental directions. 


3. Frequency 


All major systems, functions and organizational units performing significant 


responsibilities should be examined within a period not exceeding three to 


five years. 


Internal Audit Handbook 
Volume I 
Summary Of Internal Audit Standards EL2 


CHAPTER THREE - ORGANIZATION AND RELATIONSHIPS 

4, Reporting Relationship 
The head of the internal audit group should report to the deputy head. 

De Audit Committee 
There should be an audit committee chaired by the deputy head, composed of 
executives whose attributes assure the provision of sound and objective counsel 
to the deputy head. 

6. Integration of Audit Activities 
All internal audit activities shall be integrated to eliminate overlapping and 
duplication of work, and to contribute to the efficiency of internal auditing 
within the department. 

7. Audit Agents 
Where audit agents are used, there should be a written agreement with each 
agent that specifies audit objectives, audit scope, reporting relationships, the 
authority of the auditors, and the rights of the department to examine audit 
documentation. 

CHAPTER FOUR - AUDIT INDEPENDENCE 

8. Audit Policy 
The deputy head shall approve and promulgate an audit policy which specifies 
the responsibility and authority of the audit group, outlines the scope and 


frequency of audit, and authorizes access to all departmental information 


necessary for the fulfilment of its mandate. 


( 


Internal Audit Handbook 
Volume I 
Summary Of Internal Audit Standards ES 


The policy should specify the responsibilities of auditees and the internal 


audit committee vis-a-vis the audit process. 
2: Objectivity 


Members of the internal audit group should execute each aspect of assigned 


audit work in a manner which is, and is perceived to be, objective. 
CHAPTER FIVE - AUDIT STAFF 
10. Size and Skills 


The internal audit group should be of sufficient size and possess the skills 


necessary to carry out its mandate. 

ll. Professional Development 
The internal audit group and the individual auditor should have a common 
obligation to develop and maintain professional skills through training courses, 
on-the-job training, personal self-improvement, and a formal program of 
annual appraisals. 

CHAPTER SIX - PLANNING AND SCHEDULING 

12. Long-term Plan 
A long-term plan of the activities of the audit group shall be prepared and 
documented to ensure that the organization's audit policy is met efficiently 
and effectively. 


13. Annual Schedule 


An annual schedule of planned audit assignments shall be prepared and submitted 


to the deputy head for approval. 


Internal Audit Handbook 
Volume I 
Summary Of Internal Audit Standards 1.E.4 


CHAPTER SEVEN - PERFORMING THE AUDIT 

14, Assignment Planning 
Every audit assignment should be properly planned. 

15. Performance 
There should be a sufficient study and evaluation of the operational and 
management systems, procedures, processes and controls as a basis for 
conducting the detailed review and tests required to identify and disclose 
weaknesses and inefficiencies. 

16. Due Care 
Each auditor should exercise due care in the performance of the audit. 


17. Evidence 


Sufficient valid and relevant evidence should be obtained and documented to 


support the content of audit reports. 


18. Supervision 


Staff engaged in all phases of an audit assignment should be subject to adequate 


super vision. 


19. Supervisory Review 


All audit work should be subject to a properly planned and documented review 


process conducted by the appropriate level of qualified supervisory staff. 


Internal Audit Handbook 
Volume I 
Summary Of Internal Audit Standards IED 


CHAPTER EIGHT - REPORTING 
20. Assignment Report 


A written report shall be issued to appropriate officials of the department or 


agency at the conclusion of every audit assignment. 


The report must be timely, accurate, clearly stated, complete yet concise 


and recommend corrective action when appropriate. 


21. A report shall be submitted to the deputy head at least annually on audit 
coverage, major findings, significant unresolved recommendations and any 


other matters requiring the deputy head's attention. 

22. Post-Audit Consultation 
Audit findings and recommendations should be discussed with relevant officials 
prior to issuing the report and their comments included in the report, as 
appropriate. 

23. Follow-up 
The internal audit group should assess whether appropriate follow-up action 


has been taken on the implementation of audit recommendations and it should 


report inadequate action. 


et | Aigtot, : 


y 


“i 1 hi 7 

-_—? i \ 
eo eee ie 
ye Meee a sel 


TG | 
gaia ive 


i ont) OF oe 
A bi oa e's 5 ar & 
mie at Bile eer 


Py ns 


att Say rags aes 
J > 
a | - 
; rh : 
of ah > | 
wan? t 
vr , 
1p4 am! 
- - 
‘ “a 
{ ieee , 


i: Von ae : v1 
i j : ’ a "a hie ri | - a aL 2 yy 
eons a i i +) pe, : - ii ; 


‘ ee Dt seen <ce i Dialed 
' : U li . : ; t j 7 
m 5 if ; 
ni : 


Internal Audit Handbook 
Volume I 
Internal Audit Code of Ethics 1.F.1 


INTERNAL AUDIT CODE OF ETHICS 


(Abstracted from The Institute of Internal Auditors' Code of Ethics and annotated 


to suit the federal government environment.) 
INTERPRETATION OF PRINCIPLES 


The provisions of this Code of Ethics cover general basic principles which apply to 

all internal audit in the practice regardless of the disciplines involved. A member 

shall realize that individual judgement is required to the application of these principles. 
He/she has a responsibility to conduct himself so that his/her good faith and integrity 
should not be open to question. While having due regard for the limit of his technical 
skills, he/she will promote the highest possible internal auditing standards to the 


end of advancing the interest of his/her company or organization. 
ARTICLES 


i An Internal Auditor shall have an obligation to exercise honesty, objectivity 


and diligence in the performance of his or her duties and responsibilities. 


II. An internal auditor, in holding the trust of his/her employer, shall exhibit 
loyalty in all matters pertaining to the affairs of the employer or to 
whomever he or she may be rendering a service. However, a member 


shall not knowingly be a party to any illegal or improper activity. 


Ill. An internal auditor shall refrain from entering into any activity which 
may be in conflict with the interest of his or her employer or which 
would prejudice his or her ability to carry out objectively his or her 


duties and responsibilities. 


Mie An internal auditor shall not accept a fee or a gift from an employee, a 
client, a customer or a business associate of his or her employer without 


the knowledge and consent of his or her senior management. 


Internal Audit Handbook 


Volume I 
Internal Audit Code of Ethics Por .2 
Y. An internal auditor shall be prudent in the use of information acquired 
in the course of his or her duties. He or she shall not use confidential 
information for any personal gain or in a manner which would be 
detrimental to the welfare of his or her employer. 
VI. An internal auditor, in expressing an opinion, shall use all reasonable 
care to obtain sufficient factual evidence to warrant such expression. 
In reporting, an internal auditor shall reveal such material facts known 
to him or her which, if not revealed, could either distort the report of 
the results of operations under review or conceal unlawful practice. 
VII. An internal auditor shall continually strive for improvement in the 
proficiency and effectiveness of his or her service. 
VIll. A federal government internal auditor shall abide by the Standards for 


Internal Audit in the Government of Canada. In the practice of his or 
her profession, he or she shall be ever mindful of his or her obligation to 


maintain a high standard of competence, morality and dignity. 


iv 


Treasury Board of Canada Conseil du Trésor du Canada 


Comptroller General Contrdéleur général 
No. 1983-01 Internal Audit 
Date: 01-09-83 Policy Interpretation Notice 


Subject: INTRODUCTION TO THE ISSUANCE 
OF POLICY INTERPRETATION NOTICES 


Office of the Comptroller General Policy Development Branch 


Internal Audit and Special 
Studies Division 


PURPOSE AND SCOPE 


The purpose of this Policy Interpretation Notice (PIN) is to provide to 
the internal audit community a general description of what can be 
expected from future PINs, the rationale behind this new procedure and 
the action requested from internal audit groups in response to the 
suggestions provided. 


ISSUES 


The Standards for Internal Audit in the Government of Canada, issued in 
1982 by the OCG, identify in concise form the broad concepts vital to an 
effective internal audit function. As these concepts have been interpreted 
and applied by various internal audit groups within the government, the 
need for supplementary explanation or guidance has been expressed to the 
Internal Audit and Special Studies Division (IASSD) through its ongoing 
liaison and performance assurance review activities. In addition, new 
initiatives within the government and the profession have created other 
needs for guidance. 


In response to these identified needs, IASSD will adopt, as part of its 
overall activities, a procedure of issuing PINs which will provide the 
supplementary guidance required for various internal audit practices. 


G > Questions concerning this notice should be directed to: 
cere INTERNAL AUDIT AND SPECIAL STUDIES DIVISION 

working _ travaillons 

together ensemble POLICY DEVELOPMENT BRANCH 


ace OFFICE OF THE COMPTROLLER GENERAL lee 
Canada 


(613) 996-6171 or 995-1297 Canada 


INTERPRETATION NOTICE POSITION 


Most PINs will be created to aid consistency in internal audit procedures, 
provide technical advice, share common information or suggest the 
creation of new general procedures. 


Each notice will consist of the following standard headings: 
- purpose and scope: indicating the content of the notice; 


- issues: specifying the main reasons that prompted the develop- 
ment of the notice; 


= interpretation notice position: providing a précis of position 
papers, discussion papers or supporting material relevant to 
the guidance in question; where the guidance can be briefly 
stated, it will be provided in its entirety in this section; 


- disposition: indicating the action requested from internal 
audit groups, the monitoring activities of IASSD and an 
indication of whether the interpretation notice position will 
be ultimately incorporated within more formal policy and 
procedural documents such as the Standards for Internal Audit 
or the IACIA Internal Audit Handbook; 


- references (optional): identifying the legislative and official 
documentary references that are the basis of the interpretation 
notice position; 


- information and assistance (optional): providing the names 
and telephone numbers of personnel who can provide information 
concerning specific applications of suggestions included in 
the notice where this would be useful. 


The positions presented in the notices will be suggested positions, and 
therefore compliance will not be mandatory. The notices are meant to 
provide supplementary information which may be helpful to the internal 
audit community when interpreting and applying the concepts of the 
Standards to their unique departmental environment. 


DISPOSITION 


Questions, commentary and suggestions relating to the use of future PINs 
and areas where supplementary guidance would be helpful are requested 
from the internal audit community. Information, in this regard, can be 
provided through contacting the IASSDs liaison officers at (613) 996-6171 
or (613) 995-1297. 


a ay Treasury Board of Canada Conseil du Trésor du Canada 
Comptroller General Contrdéleur général 


No. 1983-02 Internal Audit 
Date: 01-09-83 Policy Interpretation Notice 


Subject: AUDIT WORKING PAPERS 


Office of the Comptroller General Policy Development Branch 
Internal Audit and Special 
Studies Division 


PURPOSE AND SCOPE 


The purpose of this notice is to announce the issuance of a position 
paper (refer to attachment) by the Internal Audit and Special Studies 
Division (IASSD) relating to the purposes, principles, content, structure, 
retention and disposal practices associated with good audit working 
papers. 


The position paper has been prepared primarily to ensure that the tradi- 
tional purposes of audit documentation are achieved in the federal 
government through a uniform and disciplined approach to audit working 
paper practices. A secondary reason for this guidance is to facilitate 
compliance with the requirements of the Access to Information Act and 
the revised TBS Records Management Policy where these initiatives impact 
audit working papers. 


ISSUES 


In the conduct of performance assurance review and liaison activities, 
practices relating to the preparation of internal audit working papers 
were found to vary among internal audit groups. In certain instances, 
the traditional purposes associated with audit documentation were not 
fully served by the existing working papers. 


The Standards for Internal Audit in the Government of Canada refers to 

the types of information an auditor would normally consider during the 
course of an assignment, but specific guidance relating to working paper 
preparation and retention was beyond the scope of that document. 

Consequently the attached position paper, "Audit Working Papers", provides 
supplementary guidance to enhance the overall quality of audit documentation. 


GaD Questions concerning this notice should be directed to: 
> 
®) Shin alone INTERNAL AUDIT AND SPECIAL STUDIES DIVISION 


POLICY DEVELOPMENT BRANCH 
at OFFICE OF THE COMPTROLLER GENERAL C di 
Canada (613) 996-6171 or 995-1297 andadda 


Bors 


With the right of public access to certain aspects of working papers 
formalized in the new Access to Information Act, the need for auditors 

to exercise care in the preparation of working papers is heightened. 

Audit documentation should be organized to allow disclosure to be handled 
economically, efficiently and effectively. In addition, the auditor 

must make certain that information retained in working papers is relevant, 
understandable, accurate and complete such that all reviewers are properly 
informed of matters pertaining to the audit. 


INTERPRETATION NOTICE POSITION 


The first two sections of the position paper clarify the purposes 
associated with audit documentation and the principles of proper working 
paper preparation. These sections serve as the basis for the approach 
taken in subsequent sections of the paper relating to content, organization 
and retention of audit documentation. 


The next section of the paper describes the necessary documentation that 
should result from each stage of the audit process and indicates the 
primary purposes served by individual working paper documents. Standard 
designs for working papers are not prescribed, rather, emphasis is 
placed upon how working papers support the activities of the auditor in 
each of the major stages of the assignment. 


General principles relating to the organization of working papers are 
then identified. Methods of indexing and cross-referencing are illustrated 
as are the uses of various working paper headings. 


The final section of the position paper highlights the current retention 
and disposal requirements related to audit working papers. It indicates 
that the existing six-year retention period for audit documentation will 
be studied for adequacy by IASSD. 


Throughout the paper, reference is made to the implications of the 
Access to Information Act on audit working paper practices. In summary, 
the following points should be considered: 


- although audit documentation has always served the important 
purpose of facilitating third-party review, this purpose will 
assume greater significance given the right of public access to 
working papers; 


- with the extension of the readership of audit documentation that 
may occur under the Act, a review of the emphasis placed upon the 
principles of working paper preparation may be in order; 


- specification of the normal contents of working papers will provide 
a basis for determining the nature and extent of information the 
public can reasonably expect for typical audits; 


® 


Sete 


- in the organization of working papers, auditor's should consider 
ways of allowing efficient segregation of exempt or excluded information 
from the main body of working papers which may be released; and 


= proper retention of working papers takes on obvious significance 
given the general public's legal right of access to government 
records. 


DISPOSITION 


The internal audit community is requested to provide comment to IASSD on 
the position paper. It is suggested that internal audit groups compare 
their existing working paper practices to the practices recommended in 
the position paper and report to IASSD instances where they feel the 
suggestions provided will not achieve the desired effects. 


Ultimately, the final position on audit working papers will be incorporated 
within the IACIA Internal Audit Handbook. Monitoring of working paper 
practices in departments will be performed as a part of the performance 
assurance review program of IASSD and will be based primarily on the 
guidance provided in this PIN. 


- a is. 


4s 


6 ©; 

tal tog 
a ws 
Je Deke 


Le 


7 


cae oe 1a 
gs Tile 


i & iy 
7 a “ a q le 
ie og & J 
Te, ose a 
- iy aes 
0 He be 


i } 
; 6 s ° : - 
Pane} ' vy 
y é as] LI 
i tzst 

~ eS —@ a4 < 
- 
a 


Attachment to 
PIN 1983-02 


AUDIT WORKING PAPERS 


A POSITION PAPER 


IN SUPPORT OF PIN 1983-02 


Internal Audit and Special 
Studies Division 
Policy Development Branch 


PREGA SHARON, TO 


AMSA WERT ARPA. 


Ses MPP POSES A ; 


Lit age beth titel: athrared 
Hasthlwitd eplbyts 
Maney) ineaigorwath sie 


Description 


CONTENTS 


| INTRODUCTION 


2 PURPOSES OF AUDIT WORKING PAPERS 


2 GENERAL PRINCIPLES 


4 AUDIT WORKING PAPER CONTENTS 


5 STRUCTURE AND ORGANIZATION OF WORKING PAPERS 


6 RETENTION AND DISPOSAL 


7 BIBLIOGRAPHY 


Appendices 


Appendix A 


Appendix B 


Appendix C 


Illustration of background planning information 
and the contents of an assignment planning 


memorandum 


Illustration of summary working papers 


Illustration of indexing/cross-referencing system 


for working papers 


11 


26 


31 


35 


5 Pw 
ee): ee 
» 


ny fa | 
; ane 
» \o ni ine Ty 


rare) MF. jaskhees ins 7 


ue? 
rae TY y% ry uavtie 


CHAPTER ONE 


INTRODUCTION 


For several years the internal audit community has recognized that the preparation 
of good audit working papers is an essential part of audit work. Though few auditors 
would disagree with the importance of audit documentation, practices governing 

the content, organization, use, retention and disposal of working papers in the federal 


government vary widely. 


The publication, Standards for Internal Audit in the Government of Canada as 
promulgated by the OCG, refers to the types of information an auditor would normally 
consider during the conduct of an assignment, but it was not intended as guidance 

to ensure a consistent approach to audit working paper preparation. This paper 
bridges the gap between the Standards and the various practices relating to audit 


working papers that have been adopted within departments. 


The primary reason for the provision of guidance in this paper is to help ensure that 
the traditional purposes of audit documentation are achieved through a uniform and 
disciplined approach to audit working paper content, structure and retention practices. 
A secondary reason for this guidance is to facilitate compliance with the requirements 
of the Access to Information Act and the TBS records management policy where it 


impacts on the audit working papers. 


The introduction of the Access to Information Act and a revised records management 
policy heighten the need for auditors to exercise care in the preparation of working 
papers. With the right of public access to certain aspects of working papers forma- 
lized in law, auditors are required to ensure that audit documentation is organized 

in a manner which will allow disclosure to be handled economically, efficiently and 
effectively. In addition, the auditor must make certain that information retained 

in working papers is relevant, understandable, accurate and complete so that all 


reviewers are properly informed of matters pertaining to the audit. 


Scope of the Position Paper 


The following major topics will be dealt with in this position paper: 


A aes 


& the purposes of internal audit working papers; 

8 general principles relating to the preparation of audit working papers; 
® appropriate audit working paper content; 

& organization and structure of working papers; and 

@ working paper retention practices. 


In this paper, the term working papers refers to the formal records of the plans the 
auditors made, the procedures they performed, the audit evidence they obtained 
and the conclusions they drew in arriving at their final report. There are normally 
two types of working paper file maintained for each audited entity - a permanent 
file used over many years and current working paper files prepared to support the 
auditor's most recent assessment of the audit entity under review. The chapters of 
this paper relating to purposes, principles and content are associated with all audit 
documentation accumulated during an assignment, and are not concerned as to 
whether the information is current or permanent in nature. The section on organi- 
zation and structure of working papers provides a method whereby the necessary 
content of assignment documentation can be logically arranged between current 


and permanent files. 


The guidance provided here is directed towards all audit documentation prepared 
within the internal audit community of the federal government, whether it be prepared 


by the internal audit group, or by agents hired through the contracting process. 


a 
W CHAPTER TWO 
THE PURPOSES OF AUDIT WORKING PAPERS 
The purposes of working papers described below, will serve as a basis for the approach 
taken in subsequent sections of this paper relating to the content, organization and 
retention of working papers. All audit documentation should be accumulated or 
prepared with these purposes in mind, so as to give maximum benefit to the auditors 


and interested third parties. 


The most important purposes of audit working papers are: 


& to facilitate effective conduct and management of the audit assignment; 

e to provide support for the auditor's report; and 

® to provide background and control for follow-up actions taken to correct 
» deficiencies. 


Other derived purposes are: 


@ to facilitate third-party review; 
@ to aid professional development; and 
e to provide a source of information for non-audit purposes. 


Facilitating Effective Conduct and Management of the Audit Assignment 


Good working papers can contribute to the effectiveness of various administrative 


tasks required for the proper management of an audit assignment. 


This section will outline these administrative tasks and the related contribution 


working papers can make towards allowing the tasks to be discharged effectively. 


ape 
a) Facilitating adequate planning (including the assignment of necessary resources) 


Documentation within the working papers of the planning decisions relating to 


audits in process, helps to ensure that: 
% planning is completed in an organized manner; 


® planning decisions are followed during the conduct of the field work (or 


explanations provided where changes occur); and 


@ an appropriate reference point is available for review both during and 


upon completion of the audit. 


Audit projects are often repeated, extended to cover additional areas or used as a 
basis for planning other assignments. Given the typical limitations on staff continuity, 
good working papers contribute to the quality of subsequent or complementary 


audits by providing a good starting point for succeeding auditors to: 


® reduce time spent in understanding the nature of the auditee's operations; 
@ identify areas of audit risk; 

® determine the scope of audit coverage; and 

@ determine, with a greater degree of accuracy, the time and staff required. 


b) Facilitating an organized approach 


A standardized structure for working papers helps to provide a useful framework 
for the organization of the audit work. Uniformity in structure enables several 
staff members or separate offices to work on different segments of a single assignment 


in a co-ordinated manner. 


An organized file influences the manner by which complex systems are reviewed, 
helping to ensure that major areas are not overlooked and that adequate depth of 


coverage is provided. 


ES 
c) Facilitating adequate control of field work 


A uniform file structure and method of preparing working papers provide guidance 
to audit staff on the job, reduce the chance of omission or of incorrect application 


of procedures and so contribute to the control of field work. 


During an audit, considerable information is obtained, discussed or examined. It is 
vital that formal records be maintained rather than committing information to 
memory, where undoubtably some of it would be lost. In addition, audit records 
serve as an important basis for the auditor's understanding of the auditee's programs, 
objectives and activities, and as such can be used as support for orderly discussion 


with operating personnel. 


Finally, working papers provide coherence to the numerous individual procedures 


comprising any given audit. 
d) Facilitating review and reporting to superiors 


Uniform working paper formats provide an efficient means for the audit team to 
communicate the results of their work to reviewers. Well-organized papers facilitate 
review by helping the reviewer spot omissions, deviations from normal procedures 
and unusual problems which were encountered. Good working papers provide for 
meaningful communication of key results and conclusions through the summarization 


of individual details. 


Provide support for the auditor's report 


In addition to contributing to the effective management of assignments, good working 
papers provide a vital link between the audit examination procedures and the auditor's 
report. Working papers represent evidence of the work done and should provide the 
proof that the examination as summarized in the auditor's report did encompass the 


areas identified. 


Working papers should provide a record of the audit procedures performed in respect 


of items in the report and the conclusions reached with respect to those items. 


5 es 


Well-structured working papers provide for effective debriefing sessions with auditees, 
allowing for ready access to pertinent facts and proof supporting audit report 


commentary. 


Finally, good working papers lend themselves to reduced report-writing effort; the 
continuous process of summarizing and refining individual audit results keeps the 


assignment focussed and easy to translate to report format. 


Provide background and control for follow-up actions 


Audit projects are typically followed up to ensure that corrective action was taken 
for reported deficiencies. Professional working papers provide background infor- 


mation for this task and reduce the likelihood of duplication of effort. 


Follow-up can take place any time from a matter of weeks after the audit, or not 
until the next scheduled assignment. The follow-up action can be controlled, however, 


through audit working paper documentation and a B/F system. 


Facilitating third-party review 


Internal audit working papers can be used by external auditors or other interested 
third parties as a means of evaluating the work of internal audit and in the external 


reviewer's assessment of the department's system of control. 


The Auditor General and Central agency evaluation groups have been the primary 
users of audit information in the past. With the introduction of the Access to Infor- 
mation Act, however, there may be increased use of working papers by the public 


should they exercise their rights provided by this legislation. 


In the eyes of third parties, working papers reflect the quality of the audit work 
done. Third parties should be able to satisfy themselves from the working papers 
that a proper audit was carried out. Working papers must be prepared with this in 
mind. 


a7 


It is important, therefore, that the working papers provide a complete record of 

the examination and can be readily understood by third parties. Adequate documen- 
tation of planning, background data of the audited entity, control systems, test 
procedures, results of test work, important discussions with auditees, decisions and 
conclusions reached, will enable reviewers of working papers to establish the adequacy 


and appropriateness of the audit procedures performed. 


Aiding professional development 


The discipline required to create good working papers provides an opportunity for 


new staff to learn procedures and exercise judgment in arriving at audit conclusions. 


Review of the staff's efforts can assist the staff appraisal process, help determine 
training requirements, and identify situations where staff are ready to take on 


additional responsibility. 


Providing a source of information for non-audit purposes 


Working papers can serve as a repository of information that may assist in non- 
audit tasks. Audit working papers often provide convenient summarizations of 
auditee data and may be useful in ways unrelated to the original audit assignment. 
For example, models of the management control framework may be helpful to 
auditees as planning input for system design changes or as a training device for 
their staff. Also, the work done by auditors may be useful as input to other studies 


such as those performed by program evaluators. 


Soe 


CHAPTER THREE 


GENERAL PRINCIPLES RELATING TO WORKING PAPERS 


The most important principles relating to audit working papers are: 


economy 
clarity 
relevance 
accuracy 
completeness 


simplicity 


balance 


Economy 


Working papers should be prepared with economy in mind: economical to prepare 


and review, to store and retrieve. 


Working papers should be a usable record of work done, spare but complete and not 

a repository for every scrap of information available to the auditor. The professional 
auditor includes only what is essential and makes each worksheet serve a purpose 
that fits into the audit objectives. Poor judgment in the extent of information 
retained will make working paper preparation, review, storage and retrieval 


uneconomical. 


Clarity 

Working papers should be readily understandable and require no supplementary 
information. Reviewers of the papers should be able to determine what the auditors 
set out to do, what they found, what was concluded and what was not done. 


Relevance 


Working papers should relate to matters which are pertinent and material. They 


should be directly related to the audit objectives. The likelihood of important 


stom 


information being overlooked or obscured is minimized when care is taken to include 


only that information relevant and sufficient to satisfy audit objectives. 


Indiscriminate filing of information is not only inefficient, but may lead to problems 
in responding to requests under the Access to Information Act. With the inclusion 
of irrelevant data, uninitiated reviewers may misinterpret or confuse the meaning 


of the content within the working papers. 


Accuracy 


Working papers should be prepared accurately, ensuring that observations and 
comments are specific, valid and objective. The working papers should provide 


reviewers with the proper perspective of the processes being examined. 


Oral comments obtained during the course of the audit should be paraphrased by 
auditors and a summary interpretation of the meaning of the comments should be 
included within the working papers. To ensure that there is no misunderstanding 
and that audit documentation is accurate, the auditee should be asked to confirm 


the auditor's interpretations. 


Completeness 


Working papers should record (a) for information obtained, all relevant and material 
facts and their source, (b) for audit procedures, their nature, timing, extent, results 
and the name of the auditor who performed them and (c) for audit conclusions, the 


conclusions and the basis for arriving at those conclusions. 


An inquiry should not be dropped without explanation. 


Simplicity 


Working papers should be comprehensible to the uninitiated reviewer. Jargon should 


be avoided or properly defined where necessary. 


SHOR: 


Balance 


Working papers should reflect all findings including positive results as well as any 


deficiencies on which action should be taken. 


Balanced working papers reduce the likelihood of a distorted impression being left 
with reviewers as to the adequacy of the management control framework under 
review. In addition, balanced working papers provide the proper basis for an effective 


audit report. 


=) (s2 
CHAPTER FOUR 
AUDIT WORKING PAPER CONTENTS 
Working papers should document the entire audit process, commencing with the 
planning stage and following through the stages of review, evaluation, verification 
and reporting. 
Each of these stages of the audit process has been described in Chapter 7 of the 


Standards for Internal Audit and in The Guide to the Development and Conduct of 
Audit Assignments. Some restatement of information from these documents has 


been made in this paper to clarify the nature of the various working papers generated 


in each stage of the audit. A study of working papers cannot be separated from the 


audit activities they are meant to facilitate and record. 


This chapter describes the necessary documentation that should result from each 
stage of the audit process and indicates the primary purposes served by various 
working paper documents. The next chapter will provide guidance as to how the 
necessary working paper content should be organized into permanent or current 
working paper files. The reader should also recognize that the principles outlined 
in the previous chapter should be carefully applied to each document prepared for 


inclusion in the working papers. 


In addition to the following narrative comments relating to audit documentation, 


Table | summarizes the various purposes of each working paper document. 


Assignment Planning Phase 


The principal documents arising from this phase are: 


® background information relating to the nature, characteristics and 


boundaries of the audit entity; and 


® the assignment planning memorandum. 


= ile? = 
Table | 


Retention 


Audit Working 
Paper Purposes 


Audit Working 
Paper Contents 


Effective Conduct and 
Mgt. of Assignment 
Auditor’s Report 
Background for 

Third Party Review 
Aid for Professional 
Development 
Non-Audit Purposes 
Permanent File 


Support for 
Follow-up 


feunen te | 


Assignment Planning Phase 


Background Data 


Planning Memo 


Review Phase 


Detailed Documentation of Existing 
Control Framework 


Predetermined Control Model 
Control Questionnaires 
Register of Essential Controls 


Register of Compensating Controls 


X 
X 
x 
X 
X 
X 


Summary of Control Weaknesses 


Evaluation Phase 


Documentation as to the Adequacy 
of Controls 


Verification Plan Procedures and 
Results 


Cause and Effect Analysis 


Summaries of Audit Observations, 
Conclusions, Recommendations 


(For explanation of symbols see next page.) 


» 


Audit Working 
Paper Purposes 


Audit Working 
Paper Contents 


- 13 - 


Table | 


Effective Conduct and 
Met. of Assignment 
Support for 
Auditor’s Report 
Background for 
Third Party Review 
Aid for Professional 
Development 
Non-Audit Purposes 
Current File 
Permanent File 


Reporting Phase 


Supervisory Review Checklists and 


Notes 


Debriefing Notes 


Draft Audit Report 


Final Audit Report 


Management Responses and Action 


Plans 


Follow-up Notes 


(A) 


primary purpose served by the working paper 
secondary purpose served by the working paper 
information is relevant to supporting the assessments of the specific 


assignment, but is also of continuing interest; information may be retained 
in both files or carried forward from current file to permanent file. 


hee 
a) | Background information 


In formulating the scope parameters of the assignment the team leader must develop 
a good working knowledge and understanding of the audit entity. The gathering of 
background information serves the auditor with various reference points for deriving 


an overall appreciation of the audited entity. 


All background information which provides the auditor and subsequent reviewers 
with a summary of relevant current facts, policies, systems and organizational 
structures pertaining to the audit entity should be retained in the working papers. 
The period of retention will be discussed in subsequent sections of this paper but 
the criteria generally applicable is that the background information retained is 


current and of continuing relevance. 


A description of typical background information gathered by the auditor is outlined 


in Appendix A of this report. 

b) Assignment planning memorandum 

The assignment planning memorandum is the principal document of the planning 
phase of the audit. It should provide a documented summary of planning information, 
audit considerations, assumptions and decisions taken. 

In that the memorandum establishes the overall plan for the audit, it is vital for 
facilitating the effective management of the assignment, serving as a basis for 


planning and conducting all subsequent phases of the audit. 


The memorandum also serves as a useful reference point for discussions held with 


auditees and for subsequent reviewers of the assignment. 


The principal components of the assignment planning memorandum are outlined in 
Appendix A. 


Review Phase 


The principal documents arising from this phase are: 


21 Ske 


@ detailed descriptions of programs, objectives and activities under review; 
® predetermined control models; 
8 control questionnaires, decision tables or other techniques used to identify 


the existence of controls relative to the predetermined control model; 


e criteria relating to the evaluation of the adequacy of controls; and 


e working papers which summarize: 


- essential controls 
- compensating controls 


- control weaknesses. 


a) Detailed descriptions 


In the review phase, the gathering of detailed descriptions relating to the management 
control framework can be viewed as an extension of the background information 
gathering activities of the assignment planning phase. This documentation serves 

as the basis for the auditor's understanding of the auditee's programs, objectives 

and activities and as such, can be used as support for discussion with operating 
personnel. In addition, the discipline required in preparing these working papers 
serves as a necessary audit control technique, helping auditors to clarify to them- 


selves and reviewers their understanding of the entity under review. 


Modelling techniques are often used in displaying the review phase documentation 
in the working papers. Models are presented typically as either narrative systems 
descriptions, organization and responsibility diagrams or outline and procedural 
flowcharts. The systems and processes of the audit entity most often addressed 
include program structure and logic, the management control framework and the 


organizational structure and accountability relationships. 


As a necessary control, working papers should include documentation of the validation 
procedures employed to verify the relevance, completeness and accuracy of the 


data collected. 


SG 


b) Predetermined control model 


The documented predetermined control model provides the basis or framework for 
evaluating the effectiveness of the audit entity's processes under review. This 
documentation is a critical dimension of the evaluative process, setting out the 
auditor's expectations relating to the control objectives that should be achieved 


within the entity under review. 


Related to the predetermined control model, the working papers should set out the 
techniques that will be used to elicit information relating to whether controls actually 
exist for the various control objectives set out in the model. Frequently used 


techniques include control questionnaires or checklists. 


Criteria that will be used during the evaluation phase of the audit should be refined 
and documented in the working papers during the review phase. These evaluation 
criteria relate to the means by which an auditor will assess whether the results of 


existing controls are achieving the desired control objectives. 


The predetermined control model and the evaluation criteria should be discussed 
with the auditee during the review phase or earlier, if the opportunity exists. In 
addition to keeping the auditee fully informed, this discussion will seek to elicit 

any concerns or disagreements the auditee may have with the proposed framework 

of the evaluative process. Where these concerns are significant, it may be necessary 
to re-evaluate or modify the audit approach to incorporate management's suggestions 
or concerns. The working papers should provide a complete record of this discussion 
so that subsequent reviewers can determine whether adequate steps were taken by 
the auditor in seeking agreement as to the premises underlying the evaluative aspects 
of the assignment. Such evidence will lend greater credibility to the standards 

used by the auditor in the evaluation of the adequacy of controls and performance 


of the entity under audit. 
c) Application of the control model 
At this stage in the assignment, the auditor will normally apply the control question- 


naire (or related technique) to determine whether there is an actual control in 


place for each of the essential control objectives. Control questions may be answered 


a hij 


from existing systems documentation or through further limited discussion with the 


auditee. 


Where controls related to control objectives are identified they should be specifically 
documented in the working papers. A convenient means of recording controls which 
the auditor considers necessary to effective operations is through the use of the 


Register of Essential Controls, a type of worksheet illustrated in Appendix B. 


This working paper serves as a useful summary to auditors and reviewers, and 


provides: 
» a means of documenting in an organized manner the controls in existence; 
@ a means of identifying those controls considered essential; 
® a record from which procedures and tests can be developed to substan- 
tiate the effectiveness of controls; 
® a record of the results of substantive testing; and 
® a record of weaknesses identified in the operation of essential controls. 


When a control is not identified for a control objective the auditor should establish 

if part of the control framework has been missed in the original documentation of 

the system, or if compensating controls exist. The documentation of compensating 
controls can be documented on a worksheet such as the Register of Compensating 
Controls, illustrated in Appendix B. Essentially this worksheet serves purposes 

similar to the Register of Essential Controls, however it highlights that control 
objectives are not directly served by certain controls but are met through the secondary 


effects of compensating controls. 


Where no adequate compensating controls are found during the limited review, the 
auditor must assume that a deficiency or weakness exists. These weaknesses may 
be documented on a worksheet such as the Summary of Weaknesses, also illustrated 


in Appendix B. 


Pea 6 

The principal purpose of these worksheets is to ensure that control strengths and 
weaknesses identified are recognized in developing evaluation and verification 
procedures and/or formulating audit findings. 

Evaluation Phase 


The principal documents arising from this phase are: 


@ control questionnaires or related techniques designed to determine 


whether identified controls are operating effectively; 


@ supporting documentation relating to the application of the above 
questionnaire; 

e a verification plan, procedures and results; 

@ cause and effect analysis for identified control weaknesses; and 

e audit observation, conclusion and recommendation worksheets. 


a) Documentation of the effectiveness of controls 


In evaluating the adequacy of identified controls, the auditor will assess whether 
these controls are achieving desired results. To do this, the auditor uses the 
management control objectives and the evaluation criteria established in the review 


phase as a basis upon which to answer the questions: 


@ is the control being used as intended? 

® is data supplied by the control system accurate, representative and 
timely? 

€ is the existing control framework appropriate to the entity? 


To elicit answers to these questions, the auditor will normally prepare a control 
questionnaire which focusses on specific results of controls in place. At this point 
in the audit, these questionnaires are applied to the information gathered during 


the review phase. 


SS 


The results from the application of the control questionnaire and limited tests 
should be documented as the basis for audit findings as to the effectiveness of 


existing controls. 


Based on the findings derived to this point in the audit, the auditor may be in a 
position to conclude that certain controls exist and are operating effectively. If 
so, this conclusion should be documented and the auditor need not consider further 
documentation relating to this control until the reporting phase. Conversely, the 
auditor may find that controls do not exist or are operating ineffectively. In such 
cases the auditor will document these findings and will proceed with cause and 


effect analysis as described below. 
In many cases however, the auditor may be faced with two problems: 


a) the information on hand does not sufficiently corroborate the tentative 


conclusions or findings reached to this point; and 


b) some questions relating to the effectiveness of controls are impossible 


to answer without additional information. 


In such cases the auditor must determine detailed verification tests necessary to 
arrive at a position where definite findings or conclusions can be made, at which 

time the examination can then proceed to cause and effect analysis or the reporting 
phase. The decision as to whether or not the auditor has sufficient evidence to 
provide a satisfactory conclusion relating to the effectiveness of controls is a difficult 
one that requires professional judgment on the part of the auditor. This subject 
matter goes beyond the intended scope of this paper, but will be separately addressed 
in a subsequent paper on audit evidence. The audit working papers, however, should 
clearly document the auditor's decision-making process, the findings and conclusions 


relating to the study of the effectiveness of controls. 
b) Cause and effect analysis 
On completion of the necessary procedures to substantiate existing controls and 


significant deficiencies, inefficiencies and weaknesses, the auditor will be in possession 


of a body of audit findings recorded on worksheets such as the Register of Essential 


Beg [prs 


Controls, the Register of Compensating Controls and the Summary of Weaknesses. 
To develop audit findings, conclusions and recommendations for reporting purposes, 
the causes and effects of control deficiencies must be analyzed. The focus of this 
analysis is to substantiate hypotheses on the reasons for, and significance of, failure 


to match the specified audit criteria. 
Audit working papers should document: 


a) aclear statement of the problem revealed by an audit finding or group 
of findings. This statement should be supported through reference to 
control weaknesses noted in the course of the review and evaluation 


phases and substantiated in the verification phase; and 


b) aclear statement of cause and effect substantiated through further 
analysis and limited testing as necessary. Effects will usually be derived 
through reference to the control objectives outlined in the predetermined 


control model. 
c) Summarization of audit findings, conclusions and recommendations 


For each area/activity subject to audit, the auditor should now have accumulated a 
list of findings, substantiated by verification procedures and analysed for cause and 
effect where controls were found deficient. Summarization of these findings is a 
useful control for auditors, substantiating to reviewers that the scope of the audit 
has been satisfactorily covered and concluded upon. Summaries are beneficial in 
tying together groups of working papers relating to a particular issue. Relating 
summary findings to the original planning memorandum ensures that all significant 
areas have been covered. 


Summaries also act as a mechanical control over the underlying working papers. 


They provide the important link between the audit report and detailed supporting 


working papers. 


Reporting Phase 


The principal documentation of this phase includes: 


2D ilee 


® supervisory review checklists and notes; 

® working papers relating to the presentation of audit findings to the 
auditee; 

e draft audit report; 

@ final audit report; and 

® management responses to audit findings, action plans and audit report 


follow-up notes. 
a) Supervisory review 


Audit working papers should be reviewed on a regular on-going basis by the team 
leader as the audit progresses. As a minimum, the audit manager should review 
working papers at the completion of the assignment planning phase and again, at 
the completion of the audit team's development of findings, conclusions and 


recommendations. 


In the working papers, it is informative to retain evidence of the supervisory review. 
Inclusion of supervisory review checklists, duly signed off, will provide a record of 
the basis by which review took place. Review checklists should indicate at minimum 


that the reviewer is satisfied that: 


8 the scope of coverage has been adequate; 
® the working papers documentation is complete; and 
8 appropriate evidence has been obtained and documented to support 


audit findings and conclusions. 


Additional areas encompassed by the review may include: 


@ that only material relevant to audit objectives has been retained in the 


working papers; and 


ip 


® working paper information is properly organized and will facilitate 


third-party review should the need arise. 


Proper review of the working papers is a necessary quality control measure, helping 
to ensure that established standards of audit conduct are maintained and that budgets 
and deadlines are met. Review may also provide secondary benefits by ensuring 

that concise, relevant, accurate and complete information is available and easily 
retrievable in the working papers for external reviewers such as the Auditor General, 
Central agency evaluation groups, program evaluation staff, or the general public 


who exercise their rights under the Access to Information Act. 


Detailed review notes are sometimes retained in the working papers along with the 
review checklists and reviewer conclusions. Presuming that reviewers ensure that 
working papers are completed to the point where all review notes have been adequately 


cleared, retention of the review notes is typically unnecessary. 


b) Presentation of audit findings to the auditee 


There should be a continuous dialogue between auditors and auditee management 
throughout the course of the audit assignment. There are, however, certain formal 
communication requirements, one of which is the requirement for the team leader 

to provide auditee management with a summary of audit findings and recommendations 


prior to drafting the final report. 


Once the team leader is satisfied that all working papers have been completed and 
reviewed and a summary of audit findings, conclusions and recommendations prepared, 


a meeting with the appropriate auditee should be arranged. 


Working papers should provide evidence that the auditor provided auditee management 
with an opportunity to review the results of the audit prior to the time that the 


auditors left the audit site. 


The working papers should illustrate the audit findings discussed and the auditee's 


reactions. This will serve to: 


23% 


a) lend greater credibility to the audit findings that will be included in the 
final report. After the exit review there may be disagreement on 
conclusions and recommendations included in the draft audit report but 
there should seldom be disagreement or subsequent surprises on factual 


matters; 


b) provide assurance to reviewers that the auditor has taken steps to ensure 
that all relevant facts related to the audit findings were considered in 


reaching conclusions; and 

c) provide evidence that auditees were informed on a timely basis of findings, 
thereby allowing them the earliest opportunity to initiate corrective 
action. 


c) Preparation of the draft and final audit reports 


There is no standard or universal mode! for the audit report. However, all reports 


should incorporate the following elements: 


e an outline of the audit objectives and scope including any limitations to 
scope; 

6 a brief description of the audit approach followed; 

& an overview of the audit entity in sufficient detail to convey that the 


auditor has gained a good general perception of the nature of the entity, 


and the environment in which it operates; and, 


CO) a summary of the major findings, conclusions and recommendations 
which states clearly the nature of the problem, the causes, the implications 


and the action's to be taken by each level of management, as necessary. 


In preparing the report the team leader must ensure that the audit findings are 
adequately supported by evidence contained in the working papers. A working copy 
of the draft report should be cross-referenced to the supporting working papers to 


facilitate reference to the evidence that is backing the findings and conclusions. 


a uae 


The audit report should include only relevant and significant information expressed 
logically and concisely, and addressed clearly to those who have the responsibility 


for initiating corrective action. 


Draft reports represent part of the decision-making process which culminates in 
the final audit report. In a sense, the draft report is a more formal presentation of 
audit findings to the auditee and essentially serves the same purposes as the exit 


debriefing, but in a more formal manner. 


The receipt of formal responses from auditees to the draft material presented by 

the auditor may be considered to serve a purpose similar to the external auditor's 
use of the "letter of representation". The confirmation by the auditee of the validity 
and appropriateness of the auditor's findings and conclusions serves as an additional 
and necessary form of substantiation in ensuring that the final audit report is 
presented as objectively as possible and includes all relevant facts. This process 

also serves to ensure that changes within the audited entity from the time of the 
auditor's debriefing may be communicated to the auditors for their consideration 
before preparing the final audit report. The use of an actual letter of representation 
adapted for internal audit purposes is being studied by the OCG. If necessary, 
further comment on this subject will be provided through a future Policy Interpretation 


Notice. 


The final report represents the ultimate product of the audit process and should be 
retained in the working papers. Once the final audit report has been issued, the 
senior executive responsible for the entity audited should require the preparation 

of appropriate action plans. A copy of these plans should be forwarded to the internal 
audit group for review and comment. This plan should contain implementation 


dates and be retained in the working papers. 


During the course of the implementation of the action plan the auditor should monitor 
progress reports and retain them on file for the sake of completeness. The working 
papers should reflect evidence that the usual role adopted by the auditors in follow- 
up was properly discharged. In this regard, the auditor normally advises senior 
management as to the acceptability of corrective action taken by line management 

in response to audit findings and recommendations. Working papers should indicate 


the auditor's conclusions as to whether implementation of the action plans has been 


BOs 


satisfactory and where necessary, document inadequate action. The steps taken by 
the auditor in ensuring that senior management remained informed until adequate 


action was taken should be provided in the working papers. 


Occasionally, a separate follow-up audit may be warranted. In this situation a 
detailed memo outlining the circumstances should be prepared so that additional 
work may be included in the long-term plan and the annual schedules. The working 
papers should include points for follow-up as reference to any future audits to be 


performed in the area. 


A detailed treatment of follow-up procedures is beyond the scope of this paper but 


will be the subject of a future paper. 


76 


CHAPTER FIVE 


STRUCTURE AND ORGANIZATION OF WORKING PAPERS 


As noted in the section relating to the purposes of working papers a number of 


useful effects can be achieved through maintenance of well-structured files. 


Proper organization of working papers can lead to benefits such as: 


e allowing several individuals or separate offices to work on different 


segments of an assignment in a co-ordinated manner; 


@ bringing discipline to the audit approach, reducing the chance of omissions 


in the review of complex systems; 


® serving as a tool for instruction to audit staff; 
® facilitating efficient communication of results; and 
© facilitating review by helping to isolate deviations from normal procedures. 


This section does not propose detailed guidance relating to the structure of working 
papers but will identify procedures in common usage that serve to meet the purposes 


noted above. 


General Organizational Principles 


A uniform policy for the organization of working papers should be established within 
the audit group. Uniformity in the type of files maintained, stationery used, indexing 
and general layout of working papers allows for many of the benefits noted above, 
particularly the advantages of providing for proper co-ordination between auditors 


and for efficient reference and review. 


Working papers are usually divided into two types of files: permanent and current. 
The organization of files into these types segregates background information of 


continuing interest that relates to the audit entity from that information which 


95 [= 


supports the auditor's current assessment of the adequacy of the management control 


framework under review. 


The allocation of the various working papers accumulated or prepared during the 
audit between these two groups of files varies in practice. Generally, certain types 
of information are associated with either permanent or current working papers and 


this breakdown is identified in Table 1. 


In practice, some variation in the content of permanent versus current working 
papers can occur. Differences in treatment generally relate to the extent of infor- 
mation of continuing interest that is maintained in the permanent file or included 

on schedules in the current working papers. Certain schedules retained in the current 
file that relate to the current assessment of the audited entity may be of use in the 
planning of a subsequent assignment. As a standard procedure, the audit group may 
designate that all such schedules in the current file need not be retained in the 


permanent file but simply carried forward at the time of the subsequent assignment. 


Proper organization of working papers could accept either treatment. Consistency, 
however, in the manner by which working papers are divided by the audit group is 
extremely important. Reviewers of current working papers must have assurance 

that there has been no misfiling of evidence in support of individual assignment 
reports. Conversely, where certain information of continuing interest is filed in 
current working papers, the audit group must establish a procedure that ensures the 
information will be carried forward to subsequent assignments. Proper carry-forward 
procedures are particularly important if different retention practices are established 


for current and permanent working paper contents. 


Auditors usually maintain other files, such as correspondence files. For the purpose 

of this paper, these files are not considered to be audit working papers since they 

do not normally contain papers of continuing interest or information directly supporting 
the auditor's report. When they do contain such papers, copies of or references to 

them should be included in the working papers because audit working paper files 


should be complete in themselves. 


Soke 


Indexing and Cross-Referencing 


Finding information in the working paper files is best facilitated by an index system 


and liberal use of cross-referencing. 


The system of indexing should be simple and flexible. One such system is to use a 
capital letter to designate broad segments of the audit and numerals for the worksheets 
within the segments. Appendix C illustrates an indexing system and reflects how it 


can be readily expanded to accommodate a large body of working papers. 


The indexing system should be known at the beginning of an assignment to avoid 
the situation where an auditor is faced with a mass of unreferenced papers. To 
keep working papers referenced on an ongoing basis the audit team leader should 


assign index references at the same time that tasks are assigned. 


Cross-referencing related data within the working papers greatly facilitates review 
and provides ready access to supporting information during debriefing sessions. 
Cross-referencing audit plans to procedures applied, audit programs to the results 
of tests and the audit report to supporting evidence are examples of typical areas 


where this technique is most useful to prime users and reviewers of audit files. 


The cross-referencing system uses the indexing references assigned to working 

papers. One method of cross-referencing commonly employed places significance 

on the location of the reference. References appearing to the left of the correlated 
data indicates the working paper from which the information was derived. References 
to the right of correlated data indicates the working paper to which the information 


is being carried forward. 


Example A figure, 1234.56, is referenced from working paper K2 to draft report 
page A4 


a) on K2 the reference would be: 
1234.56 A4 


b) on A4& the reference would be 
K2 1234.56 


Soke 


Cross-references, of course, are not restricted to tying figures together 
) but are applied liberally to all related information contained in separate 
working papers. Appendix C illustrates how various segments of the 


working papers can be correlated. 


Headings 


The headings on individual working papers should facilitate the proper filing of the 
papers and the locating of specific information, and should enable the reviewer of 


the papers to determine who prepared them. Each paper should therefore include: 


- period of examination 

- title, subject or description of working paper 
- date of preparation 

- initials of the preparer 

~ initials of the reviewer 


- indexing and cross-referencing codes. 


) Segregation of sensitive information 


With the introduction of the Access to Information Act, internal auditors should 
pay particular attention to information accumulated within working papers that 
should not be disclosed should there be a request under the Act (reference should 


be made to the Policy Interpretation Notice issued by the OCG entitled Treatment 
of Access to Information Requests for Audit Information). 


To allow for efficient processing of access to information requests, the internal 
audit group should initially review the nature of the subject matter of the assignment 
and determine the extent of exempt or excluded information that will likely be 
accumulated in the working papers. Where little of such information is associated 
with an assignment, the internal audit group need not be concerned with segregation 
of sensitive material until a specific request is received. Alternatively, where it is 
expected that considerable exempt or excluded data will be accumulated during the 
assignment, the internal audit group may wish to segregate sensitive information 


from the working papers as they are prepared or accumulated. Where, in the auditor's 
| iB judgment, a request for information is likely to be received and there is considerable 


30% 


exempt or excluded information associated with an assignment, greater efficiency 
in processing the request will be achieved by segregating sensitive information as 
the working papers are prepared. If a request is then received, only the segregated 
material needs to be reviewed in determining the extent of information that can be 


disclosed. 


When segregation of sensitive information is performed as the working papers are 
being prepared, the main body of working papers could include a number of "dummy 
worksheets" which indicate the nature of sensitive information that is being held 
separately. Where such information is related to data included in the main body of 
working papers, the dummy worksheets could contain cross-references to that data 
to ease review and retrieval. In that the head of a government institution is not 
required to indicate the existence of a record which is not disclosed, the dummy 
worksheets themselves may also be withheld from disclosure when they relate to 


excluded or exempt information. 


a3 ihe 


CHAPTER SIX 


RETENTION AND DISPOSAL 


Authority for Disposal 


The revised TBS records management policy (refer to TBS circular no.: 1983-09) 
provides a broad definition of public records so that most types of audit working 
paper documentation would be considered to be included within its scope. When 
this policy is read in conjunction with the Public Records Order (P.C. 1966-1749) 
virtually all documented audit information, regardless of physical form, made or 
received in pursuance of federal law or in connection with the transaction of public 


business, falls within the scope of the policy's provisions. 


With the inclusion of audit working papers within the scope of the TBS records 
management policy, audit groups must not destroy records or permit their removal 
from the control of the Government of Canada except in accordance with the schedules 


approved by the Dominion Archivist. 


Although audit groups do not have authority to dispose of working papers outside of 
the provisions of the records management policy, they still retain special knowledge 
about the retention value of audit working papers. As such, audit groups working 
through their departmental records management system have a responsibility to 
advise on necessary retention cycles to ensure that storage of working papers is 


done economically and efficiently. 


The following section provides guidance as to the method by which auditors can 
review the retention value of working papers for the purpose of advising departmental 
records management personnel. At present, Schedule 2 of the General Records 
Disposal Schedules, approved by the Dominion Archivist, establishes a six-year 
retention cycle (two years current; four years dormant) for audit working papers. 

This standard and the existing retention practices adopted within the internal audit 
community are being studied by the OCG for adequacy. At the conclusion of this 
study, more definitive guidance will be provided regarding proper retention cycles. 
Until such time, the six-year retention standard should be applied to all audit working 
papers content, adjusted for longer cycles where there exists additional value as 


described in the following section. 


oe 


Evaluating Working Papers for Retention Value 


Because the storage of working papers can require a great deal of costly space, the 
determination of the proper retention period constitutes a practical problem for 
audit groups. Retention should be guided by a review of the continuing value asso- 


ciated with working papers. 


In evaluating working papers, four primary types of value should be considered. 


These are: 
e administrative value 
e legal value 
@ fiscal value 
r) informational data value. 


Administrative Value 


The administrative value in records may be defined as those records required to 


carry out the current activities of the audit group. 


All working papers contribute to the proper administration and conduct of an audit. 

As has been illustrated throughout this paper, the orderly accumulation of audit 
information serves a number of purposes relating to the effective completion of an 
audit assignment. Once an audit is complete however, determination of the continuing 


administrative value of working papers represents a difficult problem for auditors. 


In assessing working paper records for any remaining administrative value, the 
auditor should consider the following questions for each record and, when the answers 
are "YES", then the records will be considered to have no more administrative 


value: 


(a) Has the record ceased to contribute to the administrative performance 
of the function which it supported? 

(b) Has the original purpose of the record been fulfilled? 

(c) Is the record being retained as a convenience or because it has been the 


practice to keep it? 


Dee 


(d) Has the transaction within each individual record been completed? 
(e) Has the record been kept merely to guard against administrative blame? 


(f) Is the record available elsewhere, i.e., is it duplicated? 


Legal Value 


The legal value in records may be defined as those records which involve long or 
short term rights of the government or of the private citizen and which are enforce- 


able by the courts. 


The retention of internal audit working papers in the public sector because of their 
legal value is less predominant than in the private sector where an action for tort 


or breach of contract is an important consideration for external auditors. 


Nevertheless, specific legal requirements should be determined by the auditor to 
ensure that retention practices protect the legal rights of the department and 


individuals. 
Fiscal Value 


The fiscal value in records may be defined as those records which departments 


require to show how moneys were obtained, allotted, controlled and expended. 


Audit working paper retention has been traditionally associated with their fiscal 
value. In the General Records Disposal Schedules (approved by the Dominion 
Archivist and issued under the authority of the Public Records Order P.C. 1966- 
1749) audit working papers were given a six-year retention cycle in order to protect 
their underlying fiscal value. This practice has been carried over from external 
audit practice and may be of questionable relevance in the federal government 


environment. 


Informational Data Value 


This multi-purpose value may be defined as the ability of a record to aid in the 
reconstruction of the past activities of a department, to provide information for 
current and future planning, and to furnish data upon which new activities may be 


based. 


Slee 


Much of the information retained in working papers has some informational data 
value. For the internal audit group, certain aspects of working papers, typically 
included in the permanent working paper files, are of continuing use in the planning 
and conduct of future assignments. All audit information pertaining to the last 
assignment at a specific audited entity has value to external reviewers, particularly 
the Auditor General, for establishing a basis upon which the activities of the internal 
audit group can be evaluated. With the increasing emphasis placed by the Auditor 
General upon relying on the results of internal audit work, recognition of the 
continuing informational data value of working papers is significant when establishing 


proper retention cycles. 


EN 


Pa Ge 


CHAPTER SEVEN 


BIBLIOGRAPHY 


Books 


Anderson, Rodney, J. "The External Audit 1, Concepts and Techniques", 
Pitman Publishing 1977. 


The Canadian Institute of Chartered Accountants "Good Working Papers", 
1980. 


Sawyer, Lawrence, B. "The Practice of Modern Internal Auditing", The 
Institute of Internal Auditors, Inc., Altamonte Springs, Florida, USA 
1981 Expanded Edition. 


Federal Government Reference Documents (forma!) 


Circular No.: 1983-09, Records Management Policy, Treasury Board 
Secretariat; March 22, 1983. 


General Records Disposal Schedules of the Government of Canada, 
Public Archives of Canada, 1978 Third Edition. 


Records Scheduling and Disposal, Public Archives of Canada, 1972. 
Standards for Internal Audit in the Government of Canada, Office of 


the Comptroller General, Policy Development Branch, Treasury Board, 
1982. 


Departmental Internal Audit Reference Documents (informal) 


Interdepartmental Advisory Committee on Internal Audit (IACIA), Internal 
Audit Handbook, Volume II, Book 1, Chapter 1, Exposure draft: "Guide 


to the Development and Conduct of Audit Assignments". 


Saar 


2. Office of the Comptroller General, Policy Development Branch, Position 
paper: "Treatment of Access to Information Requests for Audit 


Information". 


) Appendix A 


BACKGROUND INFORMATION GATHERED 
DURING THE ASSIGNMENT PLANNING PHASE 


To obtain an overall appreciation of the audited entity, the auditor will normally 


obtain and include within the working paper documentation: 


# significant legal, financial and regulatory constraints that impact upon 
the audited entity including as sources such documents as the Main 


Estimates, legislation, regulations and Central agency policy; 


® environmental information including the objectives and activities of all 


organizations affecting the operations under review; 


® previous studies and audit reports that have either directly or indirectly 


had an effect on the operations of the auditee; 


® internal information for both the audited entity and the department, 


such as: 


~ organization charts and position descriptions; 

- delegation of authorities documents; 

~ significant financial and other operating data including long-term 
and annual plans, budgets and variance reports, management reports, 


person-year allocations and performance measurement reports. 
ASSIGNMENT PLANNING MEMORANDUM 
An assignment planning memorandum should include as a minimum: 


® a summary of the scope and objectives of the assignment and any limitations 


placed thereon; 


-2- Appendix A 
an overview description of the audit entity encompassing: 
- legislative authorities and mandate; 
- key objectives and goals; 
- resources employed (human, financial and physical); 
- key organizational/operational issues and constraints; 
~ principal information and control systems; 
- principal management control mechanisms; 
- significant changes in operations/system/influences over the past 
two years or since the last audit; and, 
- known/expected future influences on the audit entity. 


principal issues and anticipated lines of audit enquiry; 


audit strategy decisions including the audit approach and general notes 


on audit techniques decisions; 
basic audit objectives and associated criteria developed; 


outline of audit report format(s) taking into account levels of reporting 


required; 

resource requirements including identification of specialist skills; 
time budget and critical milestone dates; 

assignment of staff responsibilities; 

any other significant considerations or outstanding issues; and, 


confirmation of approval to proceed. 


Appendix B 


SHSSANYVAA SHaNGADOAUd LIGNV SoINpss01dq YIpPny 
HO AUVAWNS OL NOLLVOIATUSA UOTLEOTFIISA 9Z1¢ afdwes/siseg 
QsaaedssAda SAIONSIOIISG HO SLTNSAA OL s9uUsI9feY 
SASSANSVAA LSAL NOLLVOISIMSA SO FUNLVN 


:Aq PaMdTAady 


:Aq posedaig 


STOULNOD TVLLNASSA AO YALSIOAUY 


TOULNOD 
TWLLNASSA 


dO AANLVN 


SAONANSATa 
dddvVd 
ONISTYOM 


Appendix B 


SSANUVAM JO 
AaYNLVN 


ENOILVOISINSA ESTOULNO j 
INGHGOUNVIN Boe ae é INOS ELNVOIAINDIS SSANAVAM SI 


ONILVSNAdWOD 


Nav acs | Sasa [eee ee 
NOILOYV EGALYOdaY MOH 


:Aq pamaIAay 
:Xq peiedsig 


SAaSSANNV3M AO AUVWWNS 


AONAY: 
ddd\ 
ONIAG 


Appendix B 


REGISTER OF COMPENSATING CONTROLS 
Prepared by: 


Reviewed by: 


COMPENSATING CONTROLS 


Flow Chart/Systems 
Document Reference 


WORKING 
PAPER 
RERERENCE 


Verification 
Procedure Reference 


Description 


Appendix C 


ILLUSTRATION OF INDEXING/CROSS-REFERENCING SYSTEM 
FOR WORKING PAPERS 


CURRENT WORKING PAPER FILES 


(1) (2) 


Subject Index References to References fron 


General/Administration (File 1) 


Final Report; Final management letter A - Cy DEG 
Management comments and action plans B A source (3), 
Follow-up notes S B source 
Draft report; Draft management letter D A EG 
Verbal debriefing - notes iP D source 
Supervisory review checklists and notes F (4) (4) 


Summary of audit observations, conclusions 


and recommendations (including cause/ 


effect analysis) G A, D IAG 
Assignment Planning Memorandum H (5) (5) 
Correspondence I as necessary source 


(For explanation of symbols see next page.) 


Subject 


Supporting Working Papers (File 2) 


Register of Essential Controls 


Register of Compensating Controls 


Summary of Weaknesses 


Control Questionnaires 


Documentation in response to control 


questionnaires 


Predetermined control model 


Documentation of existing control 


framework 


Verification plan, procedures, results 


Explanatory Comments 


(1) expansion of index - 


Appendix C 


(5) (1) 


Index References to References from 

J G N,Q 

K G N,Q 

LS G N,Q 

M N O 

N P if conclusive - 
Ae A 

if inconclusive - 

Q 

O M source 

P N source 

Q Ua Saal N, source 


each page of the section can be referenced 
simply as Al, A2, A3 etc., if a worksheet is 
to be added between A2 and A3, the A2 
becomes A2.1 and the added sheet can be 
indexed A2.2. 


Appendix C 


(2) references to - information contained in this section supports 
or provides background for the content of 
the section to which the reviewer is being 


referred; 


references from - information contained in this section is 
supported by the content of the section 


from which the reviewer is being referred. 


For ease of review, working papers should be cross-referenced in a manner 
reflecting the relationships between sections as noted above. Working papers 


should build upwards from source data to the final audit report. 


(3) source - indicates that information is derived directly 
from the audited entity through discussion, 


observation or application of audit procedures. 


(4) supervisory review - normally checklist is signed off indicating 

checklists ' : 
that a satisfactory standard of quality has 
been achieved in the audit and adequately 


reflected in the working papers. 


(5) assignment planning - various aspects of the memo may be referenced 
memorandum ‘ : Mera te 
to supporting working papers indicating to 
the reviewer that planning decisions and 
scope were taken into consideration during 


the conduct of the assignment. 


Appendix C 


/ i PERMANENT WORKING PAPER FILES 
Subject Index 
General Information AA 


significant legal, financial and regulatory constraints that impact 


the audited entity; 


environmental information on organizations that effect the 


operations of the audited entity. 


Operational Base for Audited Entity BB 


- objectives of the auditee 
- departmental and internal plans 


- relevant policies and procedures 


——— 


) - reporting requirements 

- services provided 

~ organization chart, position descriptions 
- capital and operating budgets 


- performance standards. 


Operational Documentation for Audited Entity CC 


- systems documentation (program logic, management control 


framework, accountability relationships). 


Previous Studies or Reports DD 


- copies of previous audit reports, follow-up notes, management 


action plans, planning memorandum; 


- copies of all recent AG reports, departmental responses 


)) 


Appendi 


Subject Index 
other internal departmental or Central Agency evaluation group DD 


studies or reports. 


The above list is meant to be illustrative and not restrictive in any 
way. Additional significant information should be included as 


necessary. 


Treasury Board of Canada Conseil du Trésor du Canada 


Comptroller General Contrdleur général 
ae Pie: sain sa tenets Notice 
Date: 01-09-83 Bie Nas Y 


Subject: PRINCIPLES FOR INTERNAL AUDIT FOLLOW-UP ACTIVITY 


Office of the Comptroller General Policy Development Branch 


Internal Audit and Special 


Studies Division 


PURPOSE AND SCOPE 


The purpose of this Policy Interpretation Notice (PIN) is to propose a 

set of principles for follow-up activity which supplements Internal 

Audit Standard No. 23. The proposed principles are discussed in more 
detail in the attached Position Paper. These may be used to guide 
departmental internal audit follow-up activity directly, or as a reference 
for the development of departmental policy/guidelines for this activity. 


ISSUES 


The major issues related to follow-up activity include scope, timing, 
frequency, depth, roles and purposes. 


The role of internal audit as a control function, whose purpose is to 
review, verify and evaluate other organizational controls, is now 
reasonably well understood and accepted by most departmental and agency 
management, The continuation of that role beyond the audit report stage 
does not yet have the same degree of acceptance in all departments. 

This is due to the lack of agreement on the nature and extent of follow- 
up activity, and the varied approaches to its implementation. This is 
not surprising since the nature and extent of follow-up activity that is 
desirable is largely situation dependent. 


INTERNAL AUDIT AND SPECIAL STUDIES DIVISION 


Geb Questions concerning this notice should be directed to: 
————— 


poate cuenta POLICY DEVELOPMENT BRANCH 
Canad OFFICE OF THE COMPTROLLER GENERAL C ion 
Canada (613) 996-6171 or 995-1297 anada 


INTERPRETATION NOTICE POSITION 


The principles suggested for guiding follow-up activity in 
departments and agencies are: 


1 Internal audit functions should plan for and execute follow-up 
action on all audit observations and associated recommendations 
recorded in internal audit reports. 


De Action plan development and implementation is the responsibility 
of management and the timing of follow-up action should 
coincide with normal managerial control points. 


Be Follow-up activity for any specific audit entity should normally 
terminate when it has been overtaken by the next planning 
cycle. This provision is subject to modification by the Audit 
Committee where such action is deemed to be justified. This 
general principle does not preclude repeat audits. 


4, There is intrinsic value in maintaining on-going contact with 
the auditee. 


The Position Paper suggests that departments and agencies 
incorporate a requirement for action plan development and implementation, 
and associated follow-up activity in their internal audit policy and 
associated procedures, where they have not already done so. These 
activities are crucial to the effectiveness of the internal audit function. 


DISPOSITION 


The internal audit community is requested to provide comments 
to IASSD on the Position Paper. It is suggested that internal audit 
groups compare their existing follow-up practices to the principles 
recommended in the Position Paper and report instances where the suggestions 
provided will not achieve the effects intended. 


Ultimately, the final position on audit follow-up will be 
incorporated within the standards or IACIA Internal Audit Handbook, as 
appropriate. Monitoring of follow-up practices in departments relative 
to the final position taken on audit documentation will be performed as 
part of the performance assurance review program of IASSD. 


Attachment to 
PIN 1983-03 


PRINCIPLES FOR INTERNAL AUDIT 


FOLLOW-UP ACTIVITY 


A Position Paper 


in support of PIN 1983-03 


TF 


Policy Development Branch 
Internal Audit and 
Special Studies Division 


i iae RaeiEn 


| Wri eA ‘S44 "4 boa 


., (2 | 
Seryoe ‘ Wet Lal _ » © ’ 


~t2 =a “i, ae A aire 7 : 7 
| ; ine 3As41% iGyewt 6@ > 
, MeelVGah ehshatt . lil sare 


= 
— 


Ihe INTRODUCTION 


The role of the internal audit function, as the evaluator of 
management controls, is now reasonably well understood and accepted in 
most departments and agencies. Unfortunately, management's perception 
of the product of that role often tends to revolve around the internal 
audit report to the exclusion of other, equally relevant products such 
as those of the follow-up process. Consequently, the role of audit 
beyond the report stage does not yet have the same degree of acceptance 
in all departments. This is partly due to the lack of agreement on the 
nature and extent of follow-up activity that is desirable, and the 
varied approach to its implementation. This is not surprising since the 
nature and extent of follow-up activity that is desirable is largely 
situation dependent. 


ie PURPOSE AND SCOPE 


The purpose of this Position Paper is to propose a set of 
principles for follow-up activity which are meant to aid departmental 
decision-making as to the scope, timing, frequency, depth, roles and 
purposes of internal audit follow-up activity. 


oF AP PROACH 


As mentioned, it is difficult to adopt precise, yet widely 
applicable rules for follow-up activity since it is situation dependent. 
Nevertheless, it is assumed there is general agreement that such an 
activity is desirable, and that providing some structure for it has 
utility and that it is possible to agree on the general principles which 
should guide its implementation. 


What follows is a set of tentative principles proposed along 
with descriptions of their intent and rationale. The intention is that 
through an iterative series of dialogue, attempted use and feed-back 
steps we will arrive at a set of principles to guide the implementation 


of follow-up activity in departments and agencies, regardless of situation 


dependent parameters. 

4. PROPOSED PRINCIPLES 
Principle 

4.1 Internal audit functions should plan for and execute follow-up 
action on all audit observations and associated recommendations 
recorded in internal audit reports. 


Discussion 


The follow-up process can only be delineated in conjunction 
with the final stage of the audit assignment process-report writing. 


rare 


To simplify matters it is assumed that obtaining management's 
response (reaction to the finding, conclusion or recommendation) is a 
mandatory part of the report writing stage of the audit assignment 
process. This would make the development of management's action plan 
the first stage of the follow-up process, whether the action plan is 
incorporated into the internal audit report or not. Although the auditor 
may be called upon for clarification of contents during action plan 
development, the first formal internal audit activity in the follow-up 
process will normally be action plan review. 


The nature, timing and frequency of follow-up action will 
depend on the substantive content of the audit conclusion and associated 
recommendation (its significance), and will vary with the stage in the 
process, with the milestones provided in the action plan, and with the 
sophistication of the departmental management process. 


An essential component of the first stage is obtaining agreement 
from management that it intends to undertake corrective action. This 
may involve several stages of discussion and negotiation through the 
managerial hierarchy up to and including the Audit Committee and, in 
extreme cases, the deputy head alone. Other possible elements of the 
follow-up process include: 


(a) Desk Review Of Periodic Progress Reports: Minimum frequency 


to be set by departmental policy; individual cases may be 
determined by departmental management or by the Audit Committee; 
in any case it should not be less frequent than semi-annually 
and should be more frequent at the front end, as deviations 

get progressively more costly to correct. Desk Review is the 
minimum follow-up action recommended. 


(b) Periodic On-site Review of Progress on Action Plans: Frequency 


should be determined on the merits of individual cases. It is 
expected that a mixed desk/on-site review strategy will prove 
optimal. 


(c) On-site Review: (follow-up audit) of action plan implementation 
to determine if anticipated improvements were achieved. 


(d) Poll of Managers: To determine if the action plan's implemen- 
tation resulted in the anticipated improvements. 


(e) Regular Audit: Include as part of the scope of the next 
regular audit of the auditee area in question. 


All of these follow-up process elements have potential value 
in encouraging action plan implementation, and as review mechanisms 
which enable the head of internal audit to provide advice to the deputy 


head. However, the two results oriented reviews, (c) & (d) and the 
repeat audit case, (e) could be used as indicators of effectiveness of 


= 


.\ 
\ 


fale Naas 


the internal audit function as well. In fact one could make a strong 
case for on-site results reviews as being the means for determining the 
ultimate indicators of internal audit function effectiveness - all 

others being proxy-measures. The main weakness of that case would be 

the joint responsibility problem, which makes it difficult to distinguish 
between managements' and auditors' relative contribution. 


Not all of the elements of the follow-up process would be 
justifiable in all cases. For example, those elements requiring on-site 
review are obviously more costly and would have to be weighed against 
the benefits foreseen. In any case, the extent of follow-up and use to 
which results are put should be a decision of the deputy head, on the 
advice of the Audit Committee, with appropriate input from the head of 
internal audit. 


The requirement for follow-up, the respective roles and 
responsibilities, and minimum frequency requirements should be embodied 
in departmental internal audit policy and associated procedures. 


Principles 


4.2 Action plan development and implementation is the responsibility of 
management and the timing of follow-up action should coincide with 
normal managerial control points. 


4.3 Follow-up activity for any specific audit entity should normally 
terminate when it has been overtaken by the succeeding departmental 
planning cycle. This provision is subject to modification by the 
Audit Committee where such action is deemed to be justified by 
circumstances. This general principle does not preclude repeat 
audits. 


Discussion 


The head of internal audit is a staff adviser to management, 
particularly senior management. Follow-up activity contributes to this 
advice role. It is up to management to plan, implement and control the 
action plan. Therefore, the progress reports received by internal audit 
should be on a "copy to" basis, with the original destined for higher 
level management rather than being a "special" report created solely for 
the audit group. Normal superior-subordinate relationships should 
prevail; the purpose of the report being copied to the internal audit 
group is so that the head of internal audit can play the expected advice 
role. On-site reviews should be synchronized with associated management 
reviews, where possible. 


Mince 


In cases where an auditee area has a good plan implementation 
track record, all outstanding action plan items that have not been 
implemented at the time of the next planning cycle should automatically 
be overtaken by (included in) the plan for the coming period and, therefore, 
not need further follow-up by internal audit. This is, of course, the 
ideal case. In practice, there may be any number of reasons for continuing 
the follow-up activity. This decision has to be weighed against the 
resentment generated against unwarranted interference with on-going 
managerial processes (whether real or perceived). In any case, the 
impact of an audit conclusion, and associated recommendation decreases 
with time. 


Principle 


4.4 There is intrinsic value in maintaining on-going contact with the 
auditee. 


Discussion 


The intrinsic value of on-going contact is undeniable, however, 
it may be carried out in many guises. If there is an on-going need for 
follow-up activity, it is simply more efficient to combine liaison and 
follow-up activities. If, on the other hand, follow-up is not justified, 
liaison can continue on its own merits, without the associated negative 
aura of control activity. 


De CONCLUSIONS 


In conclusion, although action plan development and implementation, 
which results from internal audit recommendations is the responsibility 
of the auditee (i.e. management), the internal auditor has the usual 
associated responsiblity of advising the deputy head/Audit Committee as 
to the adequacy of those processes. 


To establish or strengthen the follow-up process it is suggested 
that departments and agencies incorporate the requirement for action- 
plan development, follow-up activity, and associated roles and responsibi- 
lities of both management and internal audit, in their internal audit 
policies and procedures. 


Treasury Board of Canada Conseil du Trésor du Canada 


Comptroller General Contrdleur général 

Ottawa, Canada 

K1A 1E4 

No. 1984-01 Internal Audit 

Date: 10-03-84 Policy Interpretation Notice 


Subject: AUDITOR JUDGEMENT 


Office of the Comptroller General Policy Development Branch 
Internal Audit and Special 
Studies Division 


PURPOSE AND SCOPE 


The purpose of this Policy Interpretation Notice (PIN) is to provide the 
internal audit community with guidance related to auditor judgement; it 

supplements standards 16 and 17 dealing with ''due care" and sufficiency 

of evidence respectively. 


ISSUES 


Auditor judgement has always been a significant element of the audit 
process. In the relatively unstructured environment of broad scope 
auditing it is even more pervasive. Unfortunately the discussion of 
auditor judgement generally has not had much explicit, individual 
treatment in audit literature. An exception to this is a recent exposure 
draft, CGA - Canada, Auditing Standard No. 2, Auditor Judgement, issued 
by the Certified General Accountants Association of Canada (CGA). (The 
CGA is in the process of issuing a series of standards, which are meant 


to supplement existing professional and statutory standards, i.e. GAAS/GAAP.) 


INTERPRETATION NOTICE POSITION 


Although the CGA standards are written for private sector, external 
auditors, Auditing Standard No. 2 is considered sufficiently relevant to 
internal auditing to suggest it as recommended reading for all internal 
auditors as well. (See Attachment) 


Questions concerning this notice should be directed to: 


INTERNAL AUDIT AND SPECIAL STUDIES DIVISION 
POLICY DEVELOPMENT BRANCH 

OFFICE OF THE COMPTROLLER GENERAL 

(613) 996-6171 or 995-1297 


Canada | ss 


ay fi 


DISPOSITION 


Our intention is to incorporate the most relevant ideas presented in 
CGA Auditing Standard No. 2 in a chapter on Auditor Judgement in Volume II 
of the IACIA, Internal Audit Handbook (IAH). 


The internal audit community is invited to provide comments to IA&SSD on 
the attached draft standard, in the context of its applicability to 
internal auditing, with a view to influencing the content of the proposed 
chapter for the Handbook. 


Questions, commentary and suggestions may be directed to IA&SSD's policy 
development officers Mark Cuddy or Ernie Chadler at (613) 996-6171. 


® 


CGA-Canada 


Auditing Standard No. 2 
AUDITOR JUDGEMENT 


INTRODUCTION 


1.1 Absolute assurance is not possible in an audit due to the 


nature of testing, the limitations of internal control and 
the fact that much audit evidence tends to be persua- 
sive rather than conclusive. Therefore, professional 
judgement is an integral part of any audit. 


1.2 Auditor judgement is a professional judgement which 


depends on the qualifications of the auditor. First, an 
auditor must possess professional qualifications com- 
bined with adequate practical experience, and second, 
the auditor must possess an independent state of mind. 
He must undertake to perform his work with the skill, 
care, and caution which a reasonably competent, 
careful and cautious auditor would use. Implicit in this 
undertaking is the expectation that the auditor will 
exercise a high level of judgement. 


1.3 Flexibility of judgement can be contrasted with rigidity 


of regulations. The balance between judgement and 
regulation is important. It is clear that auditing gener- 
ally requires more professional judgement than does 
accounting. In the end, the auditing process is summar- 
ized by two judgements which are required in the 
auditor’s report: that the accounting consistently 
satisfies generally accepted accounting principles 
(GAAP) and that the auditing meets generally accepted 
auditing standards (GAAS). 


OBJECTIVES 


2.1 As pointed out in the introduction, it is necessary to 


balance the relationship between professional judge- 
ments, and accounting or auditing regulations. These 
relationships must be operationally specified in order 
to be of direct use to practitioners. Auditor judgement 
has become increasingly important because of the 
sheer volume of information, the expansion in the 
number and sophistication of users of audited reports 
and the responsibility that auditors bear to society as a 
whole. 


2.2 This Standard is a response to the need for guidance 


which concentrates specifically on auditor judgement. 
This Standard indicates a need to use models and other 
types of structured decision aids to supplement the 
auditor’s subjective judgement process. In addition, 
this Standard provides a basis for explaining, justifying 
or defending auditor judgements to parties who might 
question those judgements. These parties include 
auditors’ superiors, peers, subordinates, as well as 
regulatory agencies and the courts. Furthermore, 
operational specification of auditor judgement proce- 
dures will provide input for policy making and standard 
setting in the profession as a whole. Finally, benefits 
will accrue to parties outside the individual auditors, 
auditing firms and auditing profession. 


March 1984 


GG/\/ 809 


AUDITOR JUDGEMENT ISSUES 


3.1 The judgement performance of auditors is increasir 
the subject of judicial scrutiny, and certain conclusi 
can be drawn from the results of cases heard in Canz 
the United Kingdom, and the United States 
America. First, the courts seem willing to let 
profession articulate accounting and auditing stz 
ards, but they are inclined to look beyond conforn 
to standards for answers to the basic question 
whether or not the financial statements fairly 
meaningfully inform the reader. Second, the courts 
demanding that statements disclose information wt 
is intelligible and helpful to people who are not trai 
accountants. Finally, the courts are increasingly av 
that the function of the auditor is to ascribe credibi 
to the assertions of those who are being evaluated 
the financial statements. 

3.2 In practice, the courts are often called upon to dec 
on the question of whether or not procedures w 
followed which indicate “due professional car 
given that no suggested auditing procedure can be f 
out to be invariably necessary on ail audits 
necessarily sufficient in any given audit. Accordin 
the auditors’ professional judgements are dire: 
questioned and judged. 


Auditors must be able to explain and defen 
their judgements. 


3.3 One of the key problems in auditor judgement is 
determination of the amount of evidence which sho 
be accumulated; resolution is comprised of two bi 
steps. First, it must be decided what overall leve 
assurance is appropriate in the circumstances. Seco 
it must be decided how much evidence is necessar: 
achieve the overall level of assurance, considering 
existing circumstances. 

3.4 The overall level of assurance is the subjectiy 
determined level of confidence that the auditor ha: 
the fair presentation of the financial statements. C« 
plete assurance of the accuracy of the financial st: 
ments is not possible, but reasonably high levels car 
obtained. Auditors need guidance in systematic: 
arriving at the overall level of assurance and 
determining what the individual sections of the a1 
contribute to this overall level. 

3.5 In general, more evidence must be obtained as the le 
of assurance required by the auditor increases. H« 
ever, at some point, the additional cost of acquir 
more evidence exceeds the benefit obtained from 
additional information. Again, some objective crit 
are needed to measure or evaluate when evide! 
gathering has reached a level which will ass 
achievement of the overall level of assurance. 


3.6 


3.7 


3.8 


sio (“GGA 


Auditors should use objective guidance in 
determining the appropriate overall level of 
assurance and the evidence required to 
achieve this level. 


Another problem area for auditor judgement is in the 
drawing of conclusions from audit observations and 
sampling procedures. The avoidance of invalid conclu- 
sions or projections requires not only the disciplined 
use of logic but also the careful exercise of professional 
judgement. 


Auditors should use objective guidance in 


drawing valid conclusions from audit samples 
and observations. 


Finally, the auditor has a responsibility to apply 
procedures which, in his judgement, meet generally 
accepted auditing standards and comply with the rules 
of professional conduct. The auditor needs specific 
guidance in order to do so. 


Auditors should use objective guidance in 


deciding when the requirements of GAAS are 
met. 


Notwithstanding paragraphs 3.5 to 3.7, subjective 
evaluation is an important aspect of auditor judgement. 
Objective guidelines should be considered as a supple- 
ment to subjective judgement by the auditor. 


EVALUATION OF AUDITOR JUDGEMENT 


4.1 


4.2 


4.3 


A considerable amount of research has been done on 
various aspects of auditor judgement. This research 
can be classified into four areas: internal control 
evaluation (and subsequent testing); probability assess- 
ment (of error rates and account balances); the use of 
rules-of-thumb (in both probability assessment and the 
evaluation of sample outcomes); and judgements about 
materiality or disclosure alternatives. Because accu- 
racy is not directly measurable, various other criteria 
have been used to evaluate the effectiveness of auditor 
judgements. 

One criterion of effectiveness is stability over time of 
decisions made by the same auditor using the same 
information. Lack of stability is considered undesir- 
able for a number of practical reasons, including the 
potential exposure to legal liability and other sanctions. 
Consensus across different auditors within the same 
firm or across different firms within the profession is 
another criterion of audit efficiency and effectiveness. 
In fact, the profession engages in various efforts that 
are intended to promote consensus (for example, the 
educational and licensing requirements of the profes- 
sion). Research indicates a strong positive association 
between consensus and accuracy. Auditors whose 
decisions agree with those of other auditors tend to be 


4.4 


4.5 


more accurate on average than auditors whose deci- 
sions disagree with those of other auditors. These 
results are based on situations where accuracy can 
effectively be measured. Furthermore, it is assumed 
that consistency also promotes accuracy in auditing 
contexts where no good measure of accuracy is 
available. 

A third criterion for the evaluation of auditor judge- 
ment is insight and the auditor’s understanding of his 
decision process. Such insight and understanding is 
usually the product of knowledge and experience 
applied with disciplined logic. A high degree of 
self-insight into the judgement process is critical when 
the supervision of an audit involves delegation and 
staff training. 

A final criterion for evaluating auditor judgement is 
consistency with professional auditing standards. 
Some standards are sufficiently precise to serve as 
criteria for evaluation (for example, the principle that 
the extent of substantive testing required to obtain 
sufficient evidence should vary inversely with the 
auditor’s reliance on internal control). 


Criteria for evaluating the effectiveness of 
auditor judgement include: 
® Stability over time; 


® Consensus among auditors; 
@ Insight into the decision process; and 
® Consistency with auditing standards. 


4.6 In assessing systems of internal control, substantia 
individual differences have been found among auditor. 
who are evaluating the same information. Notwith 
standing these assessment differences, the reliability o 
internal control does affect auditors’ judgement regard 
ing the accuracy of records, and therefore, the subse 
quent test work and sample sizes. 


4.7 


Auditors must plan test work and sample 
sizes according to their assessment of the 
reliability of internal control systems. 


Earnings trends and assets size are important factors ir 
materiality judgements. However, studies reveal tha 
“the effect on income” dominates materiality disclo- 
sure judgement in many cases to such an extent, that al 
other factors are virtually ignored. 


Auditors must guard against utilizing a single 
criterion in materiality judgement decisions. 
Thus, auditors may depend on “the effect on 
income” for materiality judgements, but not to 
the exclusion of other factors. 


March 1984 


))) 


ww 


D 


METHODS TO IMPROVE 
AUDITOR JUDGEMENTS 


Sel 


en 


Se 


5.4 


SS) 


5.6 


In general, it can be said that auditors must maintain a 
healthy scepticism about their own judgements, just as 
they maintain an attitude of scepticism about their 
clients’ financial information. A sceptical attitude 
encourages auditors to seek ways to improve their 
judgements. 

One way to improve auditor judgement is for auditors 
to understand the characteristics and limitations of 
human decision-making. Auditors should be aware of 
(and accept) the fact that human decision-making 
involves potential problems, and accordingly be will- 
ing to monitor their own decision-making with these 
potential problems in mind. 

A natural extention to the awareness of human 
decision-making problems is the utilization of educa- 
tional programs (as part of student training and 
professional development) which are designed to help 
auditors overcome these problems. Such educational 
efforts could include, for example, training in statisti- 
cal and probabilistic concepts, as well as exposure to 
the results of research studies on auditor decision- 
making. 

A related possibility is providing auditors with feed- 
back about their judgement decisions. A “track re- 
cord” for each auditor is often not feasible, because 
decision accuracy cannot be measured. However, it is 
possible to provide feedback which does not require 
knowledge of “correct” answers. Information about 
auditors’ decision-making processes can be provided 
to indicate the extent to which the auditors employ each 
item of information in decision-making. This informa- 
tion could be used as part of education or training 
efforts in auditor judgements. Results of monitoring 
decision-making efforts can be utilized to improve 
auditor judgements by changing the information which 
auditors employ to make the judgements. This activity 
would include the elimination of information which is 
not useful for the decision. 

An important and practical technique for improving 
auditor judgement is the use of models to supplement 
(or even replace) human decision-making in repetitive 
decision contexts. Examples include statistical deci- 
sion models and multiple regression models of the 
environment. The primary advantage of such models is 
the enhancement of stability of decisions over time, 
and consensus among auditors. An input information 
model (such as multiple regression) will produce 
consistent output, in the form of evaluations, predic- 
tions or choices. The model output can be accepted “as 
is” or can serve as additional input to the auditors’ 
judgement processes. The auditor must be aware, 
however, that a high correlation achieved through these 
models does not necessarily imply that there is a valid 
relationship. 

Another way of reducing the inconsistency of individ- 
ual judgements is to form teams of two or more 
individuals. For example, it has been shown that the 
accuracy of equally-weighted composite decisions is at 


March 1984 


EGAN / 811 


least as great as the mean accuracy of the decisions « 
individuals. Where a number of people are engaged 1 
the audit, the gathering of composite informatic 
would be of training value, as well as of significant us 
in improving auditor judgements. 


Auditor judgements can be improved by: 

@ Training in decision-making; 

® Monitoring decisions and providing feed- 
back; 

@ Utilizing decision models to supplement 
human decision-making; and 

@ Utilizing team decision-making. 


REASONABLE AUDIT ASSURANCE 


6.1 


6.2 


6.3 


6.4 


Because certainty is not an attainable goal of the audi 
function, what is sought is reasonable audit assuranc 
(sometimes called overall audit assurance). The goal o 
reasonable audit assurance is accomplished through th 
use of professional judgement and the consideratio! 
and evaluation of critical factors. 

Auditors must seek a reasonable level of assurance as. 
minimum on all engagements and must seek an eve: 
higher level on sensitive engagements. The appropriat 
level of overall auditor assurance must be determine 
by auditor judgement, because it is difficult to measur 
levels of assurance and it is unreasonable to expect tha 
every auditor will demand the same level of evidenc 
under similar circumstances. Auditors differ, both as t 
the risks they are willing to accept and as to their level 
of experience and competence. 

The reasonable audit assurance principle is concernec 
with the confidence the auditor has that the statement 
present fairly the financial position of the entity, and th 
results of its operations. Generally speaking, the highe 
the level of assurance the auditor demands, the mor 
evidence he must obtain. The important decision to b 
made is at what point does the additional cost o 
acquiring more evidence exceed the benefit obtainec 
from the additional information. 


e@ Reasonable audit assurance refers to the 
overall confidence that the statements 
present fairly the financial position of the 
entity and the results of its operations. 

@ Generally, the higher the level of assurance 
demanded, the more evidence that must be 
obtained. 


Many auditors assert that it is not possible to quantif} 
the overall assurance achieved in an audit. Thess 
auditors acknowledge that it is practical to obtair 
measures of the level of assurance for some individua 
audit procedures (for example, by using statistica 
sampling) but that many audit procedures do not len¢ 
themselves to objective measurement. Also, thess 


6.5 


6.6 


6.7 


6.8 


812 /GGA 


auditors feel that there are no means of objectively 
determining, from individual segments, the overall 
level of assurance. Therefore, they argue that the level 
of assurance is highly subjective and determined 
purely by auditor judgement. However, the modern 
view, where auditing is considered more scientific than 
was typical of the past, advocates that (while auditor 
judgement is certainly necessary) guidelines and ob- 
jectives models are of assistance to auditors. 


Guidelines and models should be used to 
assist auditor judgement in the selection and 


measurement of a reasonable level of audit 
assurance. 


Some overall influences on the level of assurance 
should be considered. Fee constraints and competition 
among auditing firms may influence the level of 
assurance downward. However, (the threat of) law- 
suits, professional sanctions and professional pride 
keep the overall level of assurance high and reasonably 
uniform across the profession. 

Different levels of assurance are appropriate for differ- 
ent circumstances. When it is known that heavy 
reliance will be placed upon the financial statements, it 
is appropriate that the auditor’s overall level of 
assurance be increased. The cost of additional evidence 
can be justified when the potential loss to users (from 
material errors) is substantial. The degree to which 
statements will be relied upon is a function of the 
client’s size, distribution of the client’s ownership and 
the nature and amount of client liabilities. When a 
client organization is in an illiquid, unprofitable or 
over-levered condition, it is reasonable to increase the 
level of overall audit assurance. When the business is 
of a risky type or when the competence of management 
is in question, overall audit assurance levels should be 
increased. 


The level of reasonable audit assurance 

should be increased when: 

@ Heavy reliance will be placed on the state- 
ments; 


@ The client is illiquid, unprofitable or over- 
levered; 

@ The business is risky; or 

@ The competence of management is in 
question. 


The three critical factors which determine what is a 
reasonable level of overall audit assurance are the audit 
assurance factor, the specific risk factor, and the 
relative risk factor. 

The audit assurance factor refers to the degree that an 
account (or a group of accounts) contributes to the 
credibility of the financial statements as a whole. The 
view taken is that the financial statements as a whole 
achieve the overall audit goal of reasonable audit 
assurance. 


6.9 


6.10 


The specific risk factor is concerned with the fact that 
certain assets, accounts and transactions are, because 
of their nature, more susceptible to fraudulent manipu- 
lation and theft. Accordingly, auditors traditionally 
consider these specific, risky items for extra review. 
Examples of such items are cash, negotiable instru- 
ments, and inventories which have a common use or 
demand. The specific risk factor is also related to the 
risk of special circumstances, such as the prospective 
sale of the business or the poor financial condition of 
the client. 

The relative risk factor is concerned with the internal 
control system and the audit procedures. A judgement 
must be made with respect to the probability of an error 
or loss occurring that the system of internal control 
would not detect. Then, a judgement must be made as 
to the probability that the (internal or external) audit 
procedures may not detect the error or loss. 


The level of reasonable audit assurance 
should be determined by evaluation of: 


@ The audit assurance factor, 
@ The specific risk factor, and 
@ The relative risk factor. 


MATERIALITY 


Tint 


7.2 


One of the most basic functions of auditor judgement is 
the determination of the materiality limit, or the 
threshold which is established for each audit engage- 
ment. The materiality limit is used as a guide to 
planning the nature and extent of the verification 
procedures, and for assessing the sufficiency of audit 
evidence. Finally, the materiality limit influences the 
appropriate audit opinion to be expressed. Opera- 
tionally, the materiality limit chosen will affect deci- 
sions regarding sample size and decisions involving 
which items do (or do not) warrant exhaustive 
verification procedures. 

Most auditors agree that guidelines can be used to assist 
in establishing materiality limits for a given audit. 
Absolute amounts are not generally useful as material- 
ity guidelines because, for example, $25,000 might be 
material for a small firm, but not a large company. 
Relative guidelines are generally used, based either on 
the account itself, a group of accounts, or the total 
assets or total equities. Materiality relative to reported 
income is an important consideration. For example, an 
error which is not material with respect to total 
inventories might be material with respect to reported 
income. In not-for-profit organizations, the magnitude 
of what is material can best be gauged by reference to 
either total revenues or total expenditures (the differ- 
ence between the two usually being minor). Use of 
measures of profitability for materiality levels is often 
inappropriate, because net income may fluctuate 
widely from year to year. It may not make sense, for 
example, to halve the materiality level when profits 
drop by 50%. This difficulty can be avoided by 


March 1984 


r) 


7.3 


reference to normal (or normalized) net income as a 
base. More often, gross margin is used as a base for 
materiality decisions. 


Materiality guidelines should be established 
which relate to the magnitude of (groups of) 


assets, equities, revenues and expenses (or 
expenditures). 


All organizations will not have the same materiality 
guidelines. Most materiality decisions are made in the 
context of the impact of errors which will mis-state net 
income and net assets. In addition, consideration 
should be given to errors of classification among 
balance sheet components or income statement compo- 
nents. Materiality in errors of classification is impor- 
tant, particularly where the misclassification will 
distort financial ratios. When the auditor has made his 
judgement concerning materiality limits, it is usually 
prudent to discuss the planned materiality with the 
client’s management, directors or audit committee. 


@ Materiality guidelines for each audit should 
relate to the size, type and nature of the 
client organization. 


@ The materiality limit determined during the 
planning stage is tentative and subject to 
review and change as evidence is 
gathered. 


INTERNAL CONTROL SYSTEM 
DECISIONS 


8.1 


8.2 


8.3 


In the context of reasonable audit assurance, a critical 
auditor judgement must be made as to whether or not a 
specific account, or group of transactions, should be 
subjected to formal review of the internal control. In 
the absence of other indications (e.g., statutory re- 
quirements, suspicion of fraud, specific requests by the 
client), auditor judgement is required, since all ac- 
counts should not be treated alike. 

To bring some objectivity to auditor judgements on 
internal control reviews, decision aids are useful. 
Exhibit I is an example of a professional judgement 
guideline for the purpose of account selection for the 
review of internal control. However, such a guideline 
should only be used in the context of a sound planning 
and control system, as illustrated in the CGA Public 
Practice Manual, Volume II. 

Use of Exhibit I requires that each account be listed 
separately and an auditor judgement made (major to 
minor) for each of the three factors (audit assurance, 
specific risk and relative risk) as they pertain to that 
account. A 3-point ranking scale is then applied as 
follows: 

@ Weighting of 3 for a major consideration; 

@ Weighting of 2 for an in-between consideration; 

® Weighting of 1 for a minor consideration. 

The three weightings can then be summed (for a total 
three to nine points) and a threshold of the total figure 


March 1984 


GGA / 813 


established. This figure will aid the auditor in | 
decision as to whether plans should be made for 
internal control review, or only minor consideration 
any particular account. Internal control review pr 
grams can then be selected (see for example, t 
relevant sections of the CGA Public Practice Manu 
Volume IT) for the accounts judged to require reviews 
the internal control systems. 


Auditors should use decision aids tc 
strengthen professional judgements regard- 
ing the need for review of internal contro! 
systems. 


AUDIT PLANNING DECISIONS 


9.1 One of the most significant decisions to be mad 
planning an audit is the degree of reliance that car 
placed on the internal control systems. The leve 
reliance on internal control is particularly impor 
where internal control has an impact on the meast 
ment of major income figures. 

9.2 Where it is appropriate to place considerable relianc 
a particular control area, auditors should identify 
specific key control feature (or features) on wh 
reliance is placed. This will assist in designing com 
ance procedures to cover the particular control are 

9.3 For the determination of audit procedures, decis 
aids can assist auditor judgement and bring sc 
objectivity into the process. Exhibit II is an exampl 
a weighted-value decision aid (similar to the decis 
aid for making internal control review decisic 
which can be used to assist in the planning of at 
procedures and evidence-gathering. The same scal 
system and critical factors are used as in Exhibit I ( 
paragraph 8.3) with the addition of the results of 
decision on the level of reliance which can be placed 
internal control. (Presumably, for the same accout 
the scaling for the three critical factors, audit ass 
ance, specific risk, and relative risk, will be the sam 
for the internal control selection guideline.) The val 
for the four factors are totalled (from four to twel 
and thresholds set to assist in planning audit procedu 
for each account. The apparent double-counting 
Exhibit 2 is designed to ensure that accounts 
rigorously examined. The established internal con 
figure determined in Exhibit | is re-evaluated in Exh 
2 in the context of the account selection and investi 
tion function. Segmented audit procedures can ral 
from a full Audit Program (probably selected fr 
CGA Public Practice Manual, Volume II), to a Revi 
Program (perhaps selected from CGA Public Pract 
Manual, Volume I), to a tailor-made program, t 
simple, minor consideration to the account. 

9.4 It is important to emphasize that professional jud 
ment guidelines should not be used indiscriminate 
The auditor must start with professional competet 
and independence. He must then acquire an und 
standing of the specific circumstances surrounding 
client firm. In the absence of negative evidence 
specific direction to the contrary, the auditor m 


9:5 


9.6 


9.7 


9.8 


314 /GG/A\ 


consider critical factors (perhaps using a decision aid) 
in order to arrive at a conclusion based on professional 
judgement. 

A critical auditor judgement is whether or not to accept 
a particular engagement. To adequately make a deci- 
sion, auditors could use a questionnaire-style guide- 
line. Such a guideline should require consideration of 
facts such as whether or not the auditor is sufficiently 
qualified, independent, or capable of completing the 
engagement. Also, consideration of the need to inquire 
of the prior auditor and the need to make inquiries and 
hold discussions with the client should be incorporated 
into a professional judgement guideline. In addition, a 
similar methodology could be used to ascertain if the 
client is auditable. 

A judgement guideline is useful in considering the 
utilization of the client’s resources. Auditors should 
utilize client resources to the fullest extent in all areas. 
However, the auditor must exercise care to ensure the 
reliability of information provided by the client and to 
ensure that work which should be conducted by the 
audit staff is not delegated to the client. The auditor can 
enhance the results of client’s work by providing 
detailed instructions and working papers to client staff. 
Examples of work which can be completed by client 
staff are preparation of systems flow charts, schedules 
and analyses and the provision of special documenta- 
tion. 

Auditors can use a relationship approach as a profes- 
sional judgement guideline to assist in the selection of 
accounts for audit investigation. Using the relationship 
approach, the auditor would determine that an account 
would be selected if its dollar value represented, for 
example, more than ten percent of the total dollar value 
of all assets in its class. In auditing transactions, an 
auditor might select an individual entry if its dollar 
value represented, for example, more than five percent 
of the total value of the account. Alternatively, a 
specific value approach can be used as a professional 
judgement guideline in the selection of accounts for 
audit investigation. Using this approach, the auditor 
would determine that any account over a specific dollar 
amount be selected for investigation, regardless of 
relationship factors. This method is often applied 
arbitrarily, as a complement to other methods. 


Professional judgement guidelines can be of assistance 
in an auditor’s sampling decisions. It can be assumed 
that random sample selection is better than any other 
method, and that the better the system of internal 
control, the more reliance can be placed on sample 
results. Assuming internal control is adequate, satis- 
factory results from a primary sample would support a 
decision to discontinue sampling in that field. Past 
history of errors increases the probability of current 
errors (unless remedial action has taken place) and, 
similarly, the absence of past errors reduces the 
probability of current errors (unless intervening sys- 
tems changes have occurred). 


9.9 


Professional judgement guidelines can be used to assi: 
in auditor judgements regarding the reduction 
omission of substantive verification checks. For exan 
ple, if the prior year’s audit investigation indicated th: 
internal control systems were in place and operatin 
effectively, and the current year’s review of intern: 
contro] systems substantiates that the systems are sti 
in place, then an auditor may decide that certain check 
be reduced or, even omitted. In such circumstance: 
the auditor would reinforce his professional judgemer 
with valid, documented evidence, which would nc 
only support his decision but also show clearly that th 
reduction or omission was intended; and not the resu 
of error or negligence. 


Auditors should utilize professional judge- 

ment guidelines or decision aids to determine 

and document: 

® The type and nature of audit procedures; 

@ Whether to accept a new engagement; 

@ How to use client staff and resources; 

® The selection of accounts or transaction 
for audit investigation; 

® The selection of samples; and 

@ The reduction or omission of substantive 

checks. 


UTILIZATION OF DECISION AIDS 


10.1 


10.2 


10.3 


As implied in paragraph 4.3, audit decisions have bee 
found to lack a high degree of consistency acro: 
auditors, and to be insensitive to various statistical ar 
probabilistic features of the information upon whic 
the decisions are based. Most of these problems rela 
to the auditor’s attempt to integrate large amounts « 
information judgementally. It is suggested that or 
way to improve auditor judgement is to include trainir 
in decision-making in formal training programs « 
auditors and auditing firms. 

To supplement formal training, firms can establis 
“judgement policies” in key areas and train the 
personnel to follow these policies. It is necessary th 
these policies evolve over time and are modified | 
response to specific engagements. The main purpose « 
such decision aids is to increase the consistency (ov 
time and across auditors) with which auditor judge 
ments are made. 

Another way of improving auditor judgement is 1 
utilize statistical decision models. A number of repet 
tive audit decision situations are amenable to th 
application of decision models. Common aids utilize 
are: multiple regression and time series models i 
analytical reviews; statistical sampling (rather tha 
judgemental sampling); and statistical evaluation ¢ 
sample results. The problem is that statistical decisio 
models are not feasible for many auditing situations. 


March 198 


)» 


10.4 


10.5 


10.6 


10.7 


Where statistical decision models are not feasible, the 
use of structured decision aids is appropriate. The use 
of structured decision aids is not new in auditing. Such 
aids are used routinely in the information collection 
phase of an audit (for example, the pervasive use of 
internal control questionnaires and audit programs). 
Beyond these simple decision aids there are applica- 
tions which include information integration, in addi- 
tion to information collection and review. Structured 
decision aids are useful for integrating substantial 
amounts of information, in order to help auditors 
identify critical combinations of conditions that typi- 
cally signal weaknesses in internal control and to help 
auditors decide which of these weaknesses are applica- 
ble to the particular control system being investigated. 
This type of decision aid would typically utilize sets of 
decision tables. Another example of a structured aid is 
one designed to specifically focus on the extent of 
substantive tests. This kind of aid is useful when 
statistical sampling is not employed. The decision aid 
relies on a combination of equations and decision 
tables to integrate different types of information in 
order to determine non-statistical sample sizes. 


In making professional judgements, auditors 
should utilize decision aids. Decision aids can 
be classified as: 

@ Judgement policy manuals; 

@ Statistical decision models; and 

@ Structured decision aids. 


The use of structured decision aids is somewhat 
controversial. The controversy centers around the use 
of structure versus the use of judgement. Opponents of 
structured decision aids argue that no two audits are 
exactly alike and that only a subjective judgemental 
process (acquired through experience) can be 
sufficiently sensitive to those aspects of an audit that 
make it unique. 

Auditors who favor a structured approach to audit 
decisions maintain that it is better to integrate evidence 
by a more formal, explicit system than by subjective 
judgement alone. The structure-view is strongly sup- 
ported by results of human information processing 
research in auditing (and in other fields). Several 
advantages can be given for the use of decision aids. 
First, both the consistency of audit decisions and their 
accuracy (if measurable) is improved by augmenting 
the subjective judgemental nature of audit decision- 
making with structured decision aids and statistical 
decision models. Second, by making explicit the 
factors on which decisions are based, firms are able to 
foster an organizational responsibility to develop and 
adhere to judgement policies. Third, structured deci- 
sion aids provide a basis on which decision-making can 
be taught. Finally, structured decision aids have been 
shown to result in favorable cost-benefit results. 

It is important to note that practitioners who favor 
increased structure maintain that an effective combina- 
tion of judgement and structure should be sought as the 


March 1984 


10.8 


GGA\ / 215 


means of improving audit decision-making. Deci: 
aids do not replace or reduce the need for a 
judgement. If anything, additional judgement is 
lized, because many factors of the judgements mus 
clearly articulated and this will usually result in t 
being carefully considered. 


An approach to auditing that establishes an appropr 
balance between auditor judgement and structu 
evaluation is superior to singular auditor judgeme: 
There is a danger, however, of over-use (or inapy 
priate use) of decision aids. This danger is not crez 
by the decision aids themselves but by inadeqt 
training, supervision and review regarding their t 
When used properly, statistical decision models | 
structured decision aids are effective supplement: 
auditor judgements. 


Auditor decisions are best made by using at 
appropriate balance between auditor judge 
ment and structured evaluation. 


When preparing and issuing CGA Auditin: 
Standards, the CGA Auditing Standard: 
Committee acknowledged that: 

@ No single rule of general application can be 
phrased to fit into all circumstances, o 
combination of circumstances; 

@ Not every aspect of any Standard can be 
held to be necessarily applicable in al 
circumstances, or combination of circum 
stances; and 

@ There is no substitute for the exercising o 

professional judgement in the application o 

any Standard. 


11.0 REFERENCES 


® CGA Public Practice Manual 

@R. H. Ashton, CGA Research Foundation, Mo’ 
graph No. 6, Research in Audit Decision Maki 
Rationale, Evidence and Implications 

© CGA-B.C., The Audit Engagement: Planning 
Control 

® CICA Handbook 

@ IFAC Auditing Guidelines 

@ AICPA Statements on Auditing Standards 

@R. J. Anderson, The External Audit 

® Arens, Loebbecke & Lamon, Auditing: An Integ 
ted Approach: Canadian Third Edition 

@ Arens, Loebbecke & Lemon, Auditing: An Integ 
ted Approach: Canadian Third Edition 


sie /GGA 


EXHIBIT I: (SAMPLE FORMAT) 
Account Selection 
Professional Judgement Guideline 
Review of Internal Control 


Account Group Client 


Account Decision 


Name 


Review Program 
Minor Consideration 


* A.A. is the audit assurance factor 
S.R. is the specific risk factor 
R.R. is the relative risk factor 
THRESHOLDS: 
@ five or more indicates a review program: 
® four or less indicates minor consideration. 


GGA / 817 
EXHIBIT Il: (SAMPLE FORMAT) 
Account Selection 
) Professional Judgement Guideline 
| ) Investigative Function 


Account Group Client 


Critical Factors* Decision 


Total Audit Program 
Review Program 
Minor Consideration 


Account 
Name 


Ss 
wo 


* 1.C. is the evaluation of internal control systems 
A.A. is the audit assurance factor 
S.R. is the specific risk factor 
R.R. is the relative risk factor 


' THRESHOLDS: 
9 @ eight or more indicates an audit program; 
@ seven to five indicates a review program; 
@ four or less indicates minor consideration. 


SSS 


March 1984 


Roly Treasury Board of Canada Conseil du Trésor du Canada 


Comptroller General Contrdéleur général 
Ottawa, Canada 
) \ ) K1A 1E4 
No. 1984-02 
Internal Audit 
Date: 01-07-84 Policy Interpretation Notice 


Subject: TREATMENT OF ACCESS TO INFORMATION 
REQUESTS FOR AUDIT INFORMATION 


Office of the Comptroller General Policy Development Branch 
Internal Audit and Special 
Studies Division 


PURPOSE AND SCOPE 


The purpose of this Policy Interpretation Notice (PIN) is to provide the 
internal audit community with guidance relating to the treatment of requests 
for audit information made under the Access to Information Act. It is 
expected that departmental access co-ordinators will seek function-specific 

\ advice from the heads of internal audit concerning the release of audit 

) ly records. Working within the basic tenets of the Act, this PIN identifies a 
decision-path approach which should enable audit officers to provide 
consistent and uniform advice to officers responsible for access decisions; 
advice which meets both the letter and intent of the Act in a meaningful way. 


The guidance provided in this PIN supplements the formal policy instructions 
contained in the Interim Policy Guide, Access to Information Act and the 
Privacy Act issued by TBS (circular no.: 1983-35). The guidance is not meant 
to provide an alternative approach to the formal TBS instructions relating to 
access requests. The formal TBS policy clearly represents the authoritative 
document for dealing with requests under the Act and should be followed as a 
normal matter of course in all circumstances. 


Questions concerning this notice should be directed to: 


INTERNAL AUDIT AND SPECIAL STUDIES DIVISION 
POLICY DEVELOPMENT BRANCH 

OFFICE OF THE COMPTROLLER GENERAL 

(613) 996-6171 or 995-1297 . 


)D 


Canada 


-2- 


The guidance in this notice was considered necessary because of the impact of 
the Access to Information Act on the Standards for Internal Audit, particularly 
standards 17, 20 and 22. The standards relating to audit evidence, assignment 
reporting and post-audit consultation will be influenced by the release of 
audit records and as such further internal audit policy interpretation is 
appropriate. 


ISSUES 


The Interdepartmental Advisory Committee on Internal Audit felt that a govern- 
ment-wide, general approach to the treatment of requests for audit information 
would be beneficial in those instances where auditors are asked to give advice 
to their deputies. Auditors, in such situations, would provide advice which: 


= deals with the provision of audit information according to the letter 
and intent of the law; 

= helps applicants satisfy their requirements for audit information in 
a meaningful way; 

= provides a consistent way of dealing with requests for audit records; 

= ensures that requests are dealt with in an efficient manner; and 

= maintains the integrity of the internal audit function. 


The approach presented in this PIN is based upon these intended purposes. Its 
technical accuracy has been verified through discussions with both Justice 
Department legal advisers and the Treasury Board's Access to Information Task 
Force. The approach adopted reiterates the desire on the part of the internal 
audit community to honour the public's rights to audit information and to be 
sensitive to their needs. The PIN also explains those limited situations where 
the auditor may be expected to protect particular kinds of information, the 


release of which would cause identifiable harm or would be contrary to the 
law. 


INTERPRETATION NOTICE POSITION 


Premises 


In determining an approach to the treatment of requests for audit information, 
a number of basic premises were identified. These premises relate largely to 
the internal audit community's interpretation of the requirements of the Access 
to Information Act, within the context of the unique features of the internal 
audit process. They are meant to provide a logical basis from which an approac 
to information requests can be extracted. Although the premises have been 
carefully researched and their appropriateness discussed with a number of 
government officials, including legal advisers, they cannot be claimed to 
represent a conclusive basis for an approach in the absence of court interpre- 
tation of a number of the Act's provisions. 


The premises underlying the proposed approach to access requests are: 


a) an ineffective internal audit function will be injurious to the 
internal decision-making processes of a government institution. In 
this regard, injury to the internal decision-making processes of the 
government is most likely to occur when audit information is released 
prior to the conclusion of the auditor's deliberative process. 


- 3 - 


Disclosure of audit information prior to the conclusion of the 
auditor's deliberations may cause harm to the auditee by releasing 
information which unintentionally misrepresents the nature and state 
of the operations under review. Such disclosure of audit information 
will also likely hinder the frank exchange of views between auditors 
and auditees. Once an audit has been completed, however, the 
likelihood of injury resulting from disclosure of audit information 
is significantly diminished; 


b) the auditor's deliberations in arriving at an overall assessment of 
the auditee's processes and systems are not concluded until the auditee 
has had the opportunity to comment on the validity, completeness and 
relevance of the auditor's facts and conclusions presented in a draft 
report. Appendix A illustrates the audit process as a decision- 
making process and identifies the nature of the auditor's deliberations; 


¢) since the amount of audit information related to any particular 
request may be extensive, auditors may seek to clarify, through 
informal discussion with the applicant, the nature of the interest 
in the audit information. This clarification will serve to localize 
the information requirement, thereby eliminating unnecessary retrieval, 
review and edit procedures and helping to reduce the access fee. 
Informal discussions, however, would only be conducted when the access 
co-ordinator acknowledges and approves of the nature of discussion 
intended; 


d) that portion of requested audit documents which contain data prepared 
for or by the auditee (i.e. source data), will be referred by the 
auditor to the auditee for determining whether disclosure can be 
permitted. Using the concept upon which subsection 8(1) of the Act 
is based, the original source of raw data is assumed to have "greater 
interest" while the auditor's interest is derivative and, therefore, 
secondary. Formal use of subsection 8(1), however, would only apply 
in those situations where the auditee and auditor are employed in 
different government institutions. 


The term "working papers" as used here is consistent with the descriptions 
provided in the Policy Interpretation Notice, 1983-02, "Audit Working Papers". 
In that document, draft audit reports are considered to be an integral part of 
working papers. This understanding of the term working papers is significant 
to the reader when considering the discussion provided below. 


Treatment of Requests for Information 


Three possible paths are presented to guide the treatment of requests for 
internal audit information. The paths are distinguishable by the types of 
audit documents requested and the stage of the audit at the time the request 
for information is received. Figure 1 illustrates the following narrative 
comments in the form of a decision-path flow chart. 


Bhat elt nal 


AONOd LNaW 
-NU3AOD HLIM 
39NVGYOIOV 
NI Tvina.vw 

1LdW3x3 JO 

IWAOW3Y 3SIAGV L aYNDId 

“GOIW3d SIHL ONIUNG NOILVWHOINI 40 3HNSO1NSIC aUNLVW3Hd 

WOU4 NOILNLILSNI LN3WNY3A0D 3H 40 S3SS390Nd ONINVW-NOISIDIG 

AWNUALNI 3HL OL AUNPNI 4O ALITISISSOd H3LV3UD 3HL OL ONIMO 


NOILVW 


G3131dWOD LHYOd34¥ N3HM 
(Lt) OL OD ‘LHOd3aY 430 
NOINL31dWOD 31103dx3 


O1 3137dWOD 
N3HM 18O0d3u 
LIGNyv 33450 
AVIVWHOSNI 


13V¥0 NO aoiwad 
ei JS 90 
1S!1X3 LON $300 G¥YO93H a3113/A 38 


“LS3N03Y 
30 1VIN3G 
JO ANVOIIddv 


OL NOILVS 
“ISILON HOS SLNBW 
“ZONVEYV INVW 


“HO4NI 
a18vi 
“dW3X3 
NIVLNOO 
saquoo3ay 


ON 


SNOILdW3X3 
HO4 1HOd3u 
G31L13A 8 GYO93Y 
G31S3N03y 
M3IA3¥ ‘33LIGNY 
H1LIM LINSNOD 


SNOILdW3X3 
¥yOJ4 LHOd3u 
14V¥0 M3IA3Y 
‘B3L10NV 
HLIM LINSNOD 


aoisdad 

AVG 0& 
NI SS390ud 

ONILLSA 
3137dWOO 


SWIL NI LNIOd 
SIHL O1 SLN3LNOO 
180d3¥ 1jV¥G 40 

SISV8 3HL LNVOIIddv 

OL ONIASIYV19 NOIL 


auoo3y 
G31S3N03Y¥ NO 


Y3WIV19SIC 
“VINYOINI AUVLNAIW SLVDIONI (1) 0109 
ANVOIIdd¥ “31ddNS 3uVd3ud Aquwa19 


140d3u 


AWSV319 \iyoday’ 


NVvO 4avud' 
WW, SvH/ 


ON 
S¥3adVd ONINYOM 


/\ 


Suadvd 
ONDIYOM ‘Viva 
BOYNOS ‘LYOday 

1dVuO 40 HNOAVS— 


180d3uY NI G3A10S3¥ 
diavud NOILVOIS 
1eVI19 


G34N 
O1stD3adS 
SANVOIIddv 
ATIVINSOSNI 
AAIBW19 


£ ON H1iVd NOISIO3G 


SNOILdW3X3 
yo4 
SM3IA3Y 
yOLIGNV 


3uNSOTSIG 
NO aSIAGV GNV 
41S3N03Y ‘M3IAaY 
O1 33L10NV 
¥OJ JONVEYV 


VvVivg 394nN0S 


SLIGNY JL371dWOONI HOI LNVA313¥ SHOW SI (L)LZ NOILOSSENS 40 3SN *3L0N 


(2) 01 05 


SNOILdWAX3 
¥yO3 MalAay 
‘BaLIGAV 
HLIM 
LINSNOD 


AYYS 
$393N 
a3Lianv 

NOILWL 
KTNSNOD, 
si 


suadvd 
SNIMHOM 


ss390V 
SNIAIS ¥OS 
SLIN3WIONVEYY 
a1vw 


ADINOd 
AN3WNY3A0S 
HLIM 3ONVGNO99V 
NIVVId3LVW 
1dW3x3 40 
TVAOW3¥ 3SIAGV 


NOIL 


| -VWHOSNI. 
218vi } 
“dW3X3 
| ON ‘snivLtNoo 
ayuoo3y¥ 


su¥advd 
SONINNO! SNOILdW3X3 
/ ¥O YO4 M3IA3H 

albcaso anes mee 
HLIM LINSNOO 
NI GaA70S3a¥ i80d3y 

NOILWOIS 

a are 


a33N 


O141D3dS 
S,ANVOITddV 
ATIVWHOSNI 

ASIHWI19 


31L31dWO9 


(Q3Y4VHS) 


€ ON BZ ‘ON HLiVd NOISID4G 


siany 
st 


NOILVWHOSNI 
iianv 
yOo4s 
4s3N03¥ 
3AI3Z93U 


L ‘ON HLvd NOISIO3G 


[ 
| 
| 
| 
| 
iF 
| 
| 
| 
| 
| 
| 
| 
| 
| 


)» 


Decision Path 1 


In this scenario, the request for information is received subsequent to the 
completion of an audit and is clearly directed towards obtaining the final 

audit report. When this situation occurs, it is suggested that as a general 
rule, release of the entire audit report be recommended to the deputy head. 

This disclosure includes the release of recommendations, management's response, 
and action plans, where it is the practice to include these in the report. 
Notwithstanding the general rule, auditors may recognize limited instances 

where conclusions and recommendations contained in the final report include 
information, the disclosure of which could cause identifiable harm to the 
internal decision-making processes of the government institution. For such 
instances. the invocation of paragraph 21(1)(a) may be applicable. For instance, 
if an institution's decision-making capability is likely to be harmed as a 
result of disclosing audit conclusions and recommendations, this information 
should be protected until the likelihood of injury passes. Harm in this context 
means having a detrimental effect on the specific interest, the decision-making 
process, covered by this exemption. Although administrative change or embarrass- 
ment to public servants could result from disclosure of audit conclusions and 
recommendations, auditors should note that these effects by themselves are 
insufficient in demonstrating harm to the decision-making process and therefore 
do not represent satisfactory grounds for invoking paragraph 21(1)(a). 


The general rule favouring full disclosure is thought to be associated with 
certain benefits. First, full disclosure of the final audit report provides 
the applicant with a complete and balanced view of the processes under review 
and minimizes the risk of misinterpretation. The disclosure of auditee comments 
in response to audit recommendations enhances the credibility of the reported 
results. The release of the action plans, in response to the audit recommenda- 
tions, provides evidence of the constructiveness of the audit process. Second, 
full disclosure of audit reports is also an efficient treatment of requests. 
Costs associated with editing the contents (severing, per section 25) for 
release to the public would be limited to those associated with the identifi- 
cation and removal of specific exempt information as noted above. 


Audit officers cannot be expected to be aware of all the implications related 
to the release of information contained in audit reports. Consequently, prior 
to recommending release of the audit report, the audit officer should consult 
with the auditees in order to determine whether they feel that there are any 
legal restrictions relating to disclosure. 


For full disclosure of final audit reports to be a practical method of satisfying 
access to information requests, the auditor must ensure that the existing candor 
in reporting is maintained. While strong senior departmental management and 
audit committee support for complete and informative audit reports will in 

large measure ensure retention of an effective reporting process, auditors 

must do their part; they must ensure that the quality and integrity of their 
reports is not adversely affected by the knowledge that the contents may be 
disclosed to the public. 


Decision Path 2 


In this scenario, it is assumed that a request for information is received 
subsequent to the completion of an audit, but is directed towards obtaining 
audit information not contained in the final audit report. 


Initially, the auditor may find it useful to informally attempt to clarify, 
through discussion with the applicant, the nature of the interest in audit 
information. Given the broad descriptions provided in the Access Register, 
the auditor may be able to help applicants localize their information require- 
ment. This could be beneficial in that the volume of information that must be 
reviewed and edited may be reduced and discussion could help the applicant 
avoid excessive costs associated with access. Informal discussions, however, 
should not be seen as an attempt to circumvent the formal processes provided 
by the Act, and audit officers are advised to consult with their departmental 
access co-ordinators before proceeding with any discussions with applicants. 


Where the applicant's interest can be served by providing source data, the 
auditor should arrange for the auditee to review the requested information. 

The auditee should be responsible for advising the deputy head, through the 
access co-ordinator, as to whether the data can be disclosed. Where the audito 
and auditee are employed by different government institutions. the auditor may 
advise the access co-ordinator that use of subsection 8(1) of the Act may be 

in order. 


Where Audit Services Bureau of Supply and Services Canada performs audits for 
client audit groups. the decision for disclosure of information will rest with 
the client department. It is the Audit Services Bureau's policy to transfer 
requests received directly by them to the client department through the appli- 
cation of subsection 8(1) of the Act. Requests for audit information received 
directly by the client department will not require the application of subsectio 
8(1) but the audit group would have to make arrangements with the Audit Service 
Bureau for retrieval of any audit records stored at their premises. 


Where the applicant requires working paper information other than source data, 
the auditor should review the requested material according ot the provisions 
of the Access to Information Act. Particular attention during this review 
should be given to the applicability of sections 16. 19, 21 and 22 of the Act. 
These exemptions and their use are fully described in the TBS Interim Policy 
Guide and should be carefully reviewed by all auditors. These sections are 
considered more likely to be associated with the normal contents of working 
papers than other exemption provisions included in the Act, but emphasis on 
these sections does not preclude a full consideration of all other exemptions. 


Paragraph 21(1)(a) may technically apply to parts of draft reports included 
within the audit working papers. In addition, paragraph 21(1)(b) could apply 
to working paper documentation such as interview notes and minutes of meetings 
between government officials. However, as noted in Decision Path 1, sub-sectio 
21(1) is a discretionary class test exemption and the auditor is advised to 
determine the existence of harm to the internal decision-making processes when 
deciding on whether to apply this provision. In this scenario. the audit 
deliberations have been completed and it is less likely that injury to the 
internal decision-making processes can be demonstrated. Consequently, under 
normal circumstances it is expected that paragraphs 21(1)(a) and (b) would not 
be applied. 


WD) 


) 9) 


Decision Path 3 


The most difficult scenario in the treatment of access requests is that situatio 
where a request for audit information is received prior to the completion of 
the audit. Disclosure of audit information containing tentative observations 
or conclusions may result in unintentional misrepresentation of the nature and 
state of the processes under review. Such disclosure would likely hinder the 
working relationship between the auditor and auditee and ultimately the 
effectiveness of the auditor's decision-making process which depends to a large 
extent on the frank exchange of views between auditor and auditee. Equally 
important. it could do considerable, sometimes irreparable, harm to the auditee. 
Until the auditee has had an opportunity to comment on the validity, complete- 
ness and relevance of the auditor's facts and conclusions as presented in the 
draft audit report, both the auditee's operations and the audit decision-making 
process are particularly vulnerable to injury from disclosure of information. 


Treatment of request for audit information in this scenario is illustrated 
according to the timing of the request. Distinctions in terms of approach are 
based on whether the request is received: before the preparation of the draft 
report; while the auditor is preparing the draft report or it is being reviewed 
by the auditee; or after the draft report has been reviewed and verified by 

the auditee. For all alternative approaches provided in this decision-path 
scenario, it is assumed that the auditor will initially clarify. through informa 
discussion with the applicant. the nature of the interest in the audit infor- 
mation (as was discussed under Decision Path 2). 


Requests received before the preparation of the draft report 


Formally, request for audit reports at this stage in the audit process may be 
denied on the basis that the record does not exist as per subsection 10(1) of 
the Act. Informally, however, the audit officer may decide to accommodate the 
applicant's request beyond the strict requirements of the Act. The auditor 

may wish to indicate to the applicant that the requested report may be forwarded 
within a reasonable period subsequent to the completion of the audit field 

work. It is stressed once again that these informal discussions should be 
arranged through the departmental access co-ordinators. 


The intent of the auditor in offering informally the completed audit report is 
to ensure that all requests for information are treated in a reasonable manner. 
To accomplish this, it is also necessary for the auditor to ensure that the 
report is completed and made available within an acceptable time frame. The 
following procedures are expected to achieve this purpose: 


- auditee comments on a draft audit report will normally be received, 
and incorporated where necessary into a revised report, within a 
maximum two-month time period from the date the initial draft was 
completed; and 


= the revised audit report will be made available to the applicant 
within this two-month period. 


The OCG will continue to provide, through its performance assurance activity 
related to timeliness of audit reporting, an assessment of the reasonableness 


of the time frame between the end of audit field work and completion of an 
initial draft report. 


ao Ree 


Regardless of the reasonableness of the two-month time period considered necess 
to provide a quality audit report, the audit officer may be required in certair 
circumstances to furnish the report to the applicant in less time. The applicz 


may not accept the auditor's informal offering of the draft report within the 
time frame discussed above. Instead, the applicant may choose to submit a 


second formal request for information at a later point in time when the report 
is in the process of being prepared by the auditor or being reviewed by the 
auditee. In such cases, as will be discussed later in this scenario. the audit 
will be required to disclose the report, as it exists, to the applicant within 
30 days. 


When a request is received prior to the preparation of the draft report and 

the applicant's interest is directed towards obtaining working paper informatic 
the auditor should review the requested information according to the provisions 
of the Act (particular attention should be paid to sections 16, 19, 21 and 

22). This is similar to the method discussed under Decision Path 2. The major 
distinction in this scenario, however, is that the likelihood of injury to the 
internal decision-making processes, and to the auditee, may be greater owing 
to the timing of the request. Because the auditor's deliberations are incomple 
the risk of harmful effects from disclosure may be greater. While the use of 
exemptions in this case should not be automatic, the auditor may technically 
have a more sound basis for invoking certain provisions to protect the audit 
decision-making (consultative and deliberative) process. In particular, use 
of section 21(1)(b) for certain interview notes, minutes of meetings or other 
accounts of consultations and deliberations may be appropriate should disclosu1 
of such information inhibit the frank exchange of views among officials and 
thereby hinder the completion of the audit process. 


Request received while the draft report is being prepared by the auditor or 
being reviewed by the auditee 


When a request for an audit report is received at this point in time, the audit 
is required by the provisions of the Act to disclose the record to the applicar 
within 30 days. Because the draft audit report represents a crucial aspect of 
the auditor's deliberations in arriving at an assessment, particular care is 
required in ensuring that disclosure at this point in the audit does not harm 
the decision-making processes which are as yet incomplete. Review of the Act 
suggests that the audit process is particularly vulnerable to injury should 
requests be received at this point in the. audit. Certain exemptions noted 
below, may apply to portions of the content of draft reports but the protectior 
available is not considered to fully remove the risk of injury to the integrity 
of the audit process. 


The following exemptions may be important should requests for audit reports be 
received prior to their review by the auditee. Use of paragraph 21(1)(a) may 
be appropriate for protecting advice and recommendations contained in the draft 
report if the auditor determines that disclosure of this information will cause 
injury or harm to the particular internal processes to which it relates. 
Paragraph 21(1)(b) may be applied to protect accounts of consultations or 
deliberations relating to the contents of draft reports if disclosure is 
injurious, but the actual contents of the report itself probably cannot be 
withheld using this exemption. Finally, if the auditor firmly believes that 

it is clearly necessary and reasonable to have more than the critical 30 days 
for providing access to draft audit reports, the Act allows a time extention 


= One 


per subsection 9(1). This subsection allows extension of the initial 30-day 
period if consultation is necessary and cannot be completed within this time 
period. At present, however, use of this provision is considered very tentative 


and not generally recommended. particularly given its very limiting interpretation 
in the Interim Policy Guide issued by TBS. 


For audit groups that employ private-sector consultants to perform audit 
activities, the use of the exemptions noted above is limited. Paragraph 21(2)(b) 
provides that subsection 21(1) does not apply in respect of a record that 
contains a report prepared by a consultant or advisor who was not, at the time 
a report was prepared, an officer or employee of a government institution or a 
member of the staff of a Minister of the Crown. It is likely that the use of 
the term "report" in the Act will not be applied literally but will extend to 
all records under the control of the government institution prepared by the 
consultant. As has been suggested by this paper, however, the limited usage 

of subsection 21(1) by the internal audit community will not likely create a 
significant distinction between the degree of disclosure required for the 
contents of records prepared by consultants versus government auditors. Never- 
theless, should a request for information prepared by consultants be received 
prior to the completion of the audit, there may be increased need on the part 
of consultants to expedite verification of the accuracy of records requested 
within the 30-day period allowed for responding to access requests. 


When an incomplete or unsubstantiated draft audit report must be released, the 
auditor may wish to provide additional information to the applicant clarifying 
the basis, and any related reservations, upon which the contents have been 
derived to this point in the audit. The auditor may also wish to identify on 
the draft report disclaimers with respect to the accuracy of representations 
provided. The best protection to the deliberative aspect of the audit process, 
however, is to ensure that. prior to the preparation of draft reports, auditors 
carefully determine and confirm the accuracy of their observations through 
continual dialogue with the auditee. The importance of the Standard 22 of the 
Standards for Internal Audit in the Government of Canada, which relates to the 
discussion of audit findings and recommendations with the officials responsible 
for the activities begin commented upon, becomes increasingly significant given 
the broader potential readership of audit records. 


Request received subsequent to auditee review and verification of the draft 
report 


Receipt of a request for information at this point in time is normally not 
considered problematic to auditors. The deliberative process is considered 
essentially complete and the likelihood of injury as a result of disclosure of 
audit information is significantly lessened. As such, the auditor should treat 
such requests in the manner described under Decision Path 1. 


One final reminder is that any contact with applicants should be fully documented. 
Aside from the desirability of keeping track of the nature and timing of requests 
for administrative purposes, such information will be useful as input to possible 
future revisions of this document, or even the Act and/or .its associated Treasury 
Board Policy. It will also, of course, be useful should there be any subsequent 
intervention by the Information Commissioner or legal action. 


= Loe 


DISPOSITION 


The internal audit community is invited to provide comment to IASSD on the 


contents of this notice. Monitoring of experiences with the Act and review of 
the procedures adopted to deal with requests for audit information will be 
performed as part of the performance assurance review program of IASSD. 


REFERENCES 
Federal Government Reference Documents (formal) 


= Circular No.: 1983-35, Interim Policy Guide, Access to Information Act 
and the Privacy Act, Treasury Board Secretariat; June 1, 1983. 


- Bill C-43, as passed by the House of Commons; June 28, 1982. 


- Standards for Internal Audit in the Government of Canada, Office of the 
Comptroller General, Policy Development Branch, Treasury Board, 1982. 


Departmental Internal Audit Reference Documents (informal) 
= Office of the Comptroller General, Policy Development Branch, Internal 


Audit and Special Studies Division, Policy Interpretation Notice 83-02: 
"Audit Working Papers". 


vp 


Appendix A 


The Working Paper File as the Documented Record 
of a Decision-making Process 


The Working Paper File is a documented record of the internal audit 
assignment's field work phase. Table 1 below, illustrates the audit 
process as a decision-making process and identifies the nature of the 
auditor's deliberations: 


The purpose in drawing a parallel between the audit process and a decision- 
making process is twofold. The first, is to demonstrate that the audit 
process, a particular type of decision-making process, has the same 
consultative and deliberative content as any decision-making process 

which, therefore, is at least technically subject to exemption per 
paragraph 21(1)(b), given that injury due to disclosure of that particular 
content can be demonstrated. The second, is to provide a framework within 
which it is possible to distinguish the approach to be taken to treatment 
of requests for information (see discussion of Decision Paths 1, 2 and 


says 
Table I 


Decision-Making 


Process Elements 


I 


Process Generic 
Stage Decision-Making Field Work Working Papers 
}} . 1. Problem - Identification of - Assignment planning: - Assignment Plan 
\ ) Identification problems/opportu- (Identification of 
nities/constraints, scope, suspected 
values, relevance weaknesses, lines of 
criteria inquiry, objectives) 
2. Problem - Specification of - Review phase: - Detailed descrip 
Specification the problem in terms describing the flow charts, dat 
of its nature, auditee environment ; predetermined co 
structure, variables, development of pre- model; list of p 
parameters constraints determined control weaknesses 
and objectives/ model (success 
success criteria criteria); preliminary 
testing to localize 
problem/opportunity 
areas and constraints 
and verification 
3. Alternative Enumerate and - Evaluation Phase: Documented analy 
Deve lopment develop alternative confirm problems; findings, tests, 
solutions (a form perform cause/effect conclusions 
4. Choice of hypothesis analysis; consolidate 
testing); choose conclusions 
best solution 
5. Report Confirm and - Develop conclusions Draft and final 


document the 
results of the 
decision 


and overall opinions 


reports 


-2?- 


Essentially, the issue is that disclosure of internal audit record content 
during the decision-making process is more liable to be injurious, to 

both auditee and the audit function than after the decision-making process 
is completed. In the future, a "Letter of Representation" procedure 

used by private sector accounting firms, may be a useful means of further 


clarifying the point at which the audit decision-making (consultative/ 
deliberative) process is complete. 


Babe Comptroller General Contrdleur général 


of Canada du Canada 


Ottawa, Canada 


K1A 1E4 
No. 1984-03 Internal Audit 
Date: 10-10-84 Policy Interpretation Notice 


Subject: PRE-IMPLEMENTATION AUDIT 


Office of the Comptroller General Policy Development Branch 
Internal Audit and Special 
Studies Division 


PURPOSE AND SCOPE 


Modern internal auditing, as defined in the Srendard cen has two main 

thrusts, namely: (1) helping managers achieve improved productivity 
(auditing economy, efficiency and effectiveness) of their ongoing operations; 
and (2) advising management on the development of economic, efficient 

and effective major, new, or changed infrastructure (pre-implementation 
auditing). 


The purpose of this Policy Interpretation Notice (PIN) is to provide the 
internal audit community with guidance related to pre-implementation 

audit. It supplements standard No. 2, dealing with "scope" and the 
associated discussions in Chapter Two, Scope and Frequency, and Appendix A, 
Auditing Computer-Based Systems. 


ISSUES 

ie What is a pre-implementation audit? 

A pre-implementation audit is an audit carried out on departmental/agency 
systems during the design/development and installation process rather 
than after the system has been turned over to the client for operation. 
Ze What is the scope of a pre-implementation audit? 

To be consistent with the Standards, the scope of pre-implementation 
audits should include all major new systems under development, including: 


new legislation, policies and procedures, information systems (both EDP 
and non-EDP) and production processes. 


iL See Standards for Internal Audit in the Government of Canada. 


Questions concerning this notice should be directed to: 


INTERNAL AUDIT AND SPECIAL STUDIES DIVISION 
POLICY DEVELOPMENT BRANCH 

OFFICE OF THE COMPTROLLER GENERAL 

(613) 996-6171 or 995-1297 


Canada 


Pre-implementation audit consists of two possible components: 


(i) Audit of the project management/system development process 
(for EDP systems, this includes the complete systems development 
life cycle”), and 


(ii) Audit of the control framework being designed for the system. 
Bic Why do a pre-implementation audit? 


The rationale for initiating pre-implementation auditing is that it is 
more cost-effective to correct weaknesses in the control framework 
during the design/development and installation process than after 
implementation, when large quantities of resources have been expended 
and strong commitment to the entity under design has been generated. 


This does not eliminate the need for post-implementation audits as there 
is no assurance that what was designed and installed was maintained or 
operated as intended, and that the original requirements continue to 
hold true. 


4, How far can the auditor go without impairing independence? 


Auditors always have the problem of possibly compromising their objectivity 
through their efforts to gain an understanding of, and empathy with, the 
auditee's situation. This is particularly true for pre-implementation 
auditing. For example, there is a real danger that the auditor will get 
co-opted into participation in actual design of controls rather than 
playing the "advice" role. Even in playing this more restricted role 

the auditor may become too committed to the resultant systems configuration 
to be totally unbiased in later, post-implementation audits of that same 
system. 


It is considered however, that the benefits of such auditing far outweigh 
the risk incurred and that, in any case, it is possible to minimize the 
danger of loss of objectivity by judicious control of the nature and 
scope of the auditor's involvement, and by adopting an appropriate 
assignment strategy. 


A more extensive discussion of the above issues is presented in the 
attached Discussion Paper. 


See the Administrative Policy Manual, Chapter 440. 


mY 


vd 


INTERPRETATION NOTICE POSITION 


The position of this PIN is that: Pre-implementation audits should be 
undertaken for all major systems under development in departments and 
agencies; they should be reflected in the departmental/agency internal 
audit policies and plans; and, the potential loss of auditors" objectivity 
can be minimized through appropriate terms of reference and assignment 
strategy. 


DISPOSITION 


It is our intention to adopt one or more of the following actions, based 
on the nature of the feedback received from the internal audit community: 


ik Prepare a chapter on pre-implementation auditing for Volume II of 
the IACIA Internal Audit Handbook (IAH). 

12, Prepare a guide on pre-implementation auditing for Volume IIT of 
the IAH. 

Dre Integrate pre-implementation audit guidance into existing IAH 
chapters. 

4, Prepare changes to the relevant portions of the Standards for their 


next revision. 


The internal audit community is invited to provide comments to IA&SSD on 
the attached Discussion Paper with the view to influencing the content 
and location of future guidance on this important subject. 


NW] TY Attachment to 


PIN 1984-03 


PRE-IMPLEMENTATION AUDIT 


A Discussion Paper 
in support of PIN 1984-03 


} i) 


Policy Development Branch 
Internal Audit and 
Special Studies Division 


x 


Z_ 


® 


DISCUSSION PAPER 


PRE-IMPLEMENTATION AUDIT 


Subject: Participation of Internal Auditors in Systems Under Development 


Introduction 


The purpose of this Paper is to explore various aspects of participation 
by auditors in systems under development. This type of participation will be termed 
"pre-implementation audit". 


The subject of pre-implementation audit will be discussed from the 
point of view of its background, definition, scope, purpose, effect on other aspects 
of the audit function and possible means of implementation. 


Background 


There are several factors which have the effect of increasing pressure 
on internal auditors to participate in systems development projects: systems develop- 
ment projects are notorious for cost/time overruns; implemented systems are equally 
notorious for not meeting all user requirements; systems, particularly EDP systems, 
often have under-designed control frameworks; and, recent cost-cutting programs, 
prompted by a recessionary economy and large deficits, have focussed increased 
attention on improving the productivity/efficiency of all processes. This puts the 
spotlight particularly on the systems development process because of the costly 
down-stream effects of inadequate design and implementation. 


Audit literature has recognized the potentially useful role of pre- 
implementation audit for some time, however, it has been almost exclusively centred 
on EDP information systems. This view of systems has two limitations: not all 
systems are "information" systems and EDP is only one possible vehicle for imple- 
menting systems. In what follows, we will employ a broader view of systems . 


Our recognition of the desirability of pre-implementation audit is reflected 
in the Standards” in several ways: 


(i) Standard 2., Scope, states that "The scope of internal audit 
shall encompass all aspects of a department's operations. 
The internal auditor assesses and expresses an opinion upon: 


a) The design, development, implementation ... of all 


systems, procedures, processes and controls, including 
computer-based systems; ..."5 


ke A system is defined as a set of elements related to one another according to 
some coherent pattern. While the elements are important, it is the linkages 
or relationships among the elements, defined in terms of common purpose, 
which make it possible to speak of a system - abstracted from Managing Public 
Systems: Analytic Techniques for Public Administration, by Michael J. White, 
Clayton Ross, Robert Myrtle, Gilbert Siegel and Aaron Rose. 


Ze Standards for Internal Audit in the Government of Canada. 


ed 


(ii) Standard 3., Frequency, adds that "All major systems, ... 
performing significant responsibilities should be examined 
within a period not exceeding three to five years..."; and, 


(iii) In the elaboration of standards 2. and 3., in Chapter Two, it 
is made clear that pre-implementation audit was intended to 
include new legislation, agreements and contracts. 


Definition 


As indicated above, we will term the auditor's participation in systems 
under development "pre-implementation audit" and will adopt the broadest definition 
of the term "system", a definition which encompasses all major infrastructural 
mechanisms in an organization, including: legislation, policies and procedures; 
information systems (EDP or other); production systems/processes; agreements and 
contracts; and organization structures. See Figure 1 for an illustration of typical 
infrastructural hierarchy and the relationships. 


Scope and Purpose of Pre-Implementation Auditing 


The scope of a pre-implementation audit has two components. The first 
has to do with the entities subject to pre-implementation audit - these have already 
been defined above as all major new systems (i.e. infrastructural hierarchy). and 
should include major re-designs of existing systems. 


The second component of scope has to do with the type of auditor 
participation that could be contemplated. These are: 


(i) Audit of the project management/systems development process. 


(ii) Audit of the control framework that is being designed in conjunction 
with (surrounding), or as an integal part of the system under design. 


The first type of audit is aimed at assuring management that the 
development process adheres to prescribed (e.g. central agency) or generally 
accepted policies and practices, which ensure that sound systems are conceived, 
developed and implemented and that the development process is economic, efficient 
and effective. The second type of audit assures management that adequate operating 
and management controls are being conceived, developed and implemented, which 
in turn will ensure that the operators, managers and users of a system will have a 
means of determining whether the system is performing as intended. 


For both types of audit the rationale employed is twofold. The first is 
that it is easier and less costly to ensure adequate design at its conception than to 
rely on remedial changes after implementation. The second is that systems that 
will be used repeatedly must be more carefully designed and managed at the front 
end because of the potentially negative effects on operating efficiency and effective- 
ness that could result from a poor design/development process. 


A derivative benefit from pre-implementation audits is the resultant 
heightened awareness of the role of control accruing to all participants (managers, 
users, systems designers, etc.). 


'@ 


Bf ee 


Infrastructural Hierarchy 


Government Policy 


Legislation 


Management/ 
Administration 
(e.g. FAA, PSEA) 


Central Agency 
Policies, Directives, 
Guidelines, and Regulations 


Government-wide 
Admin. Systems 
and Procedures 


Departmental 
Management/Admin. 
Policies, Directives 
Guidelines 


Departmental 
Management/Admin. 
Systems and 
Procedures 


Figure 1 


Program 
Enabling 


Program Policies 
Directives and 
Guidelines and 

Regulations 


eervcny 

Systems 
Processes 
Projects 
Contracts 

Agreements 


ties 


The Effect of Pre-implementation Audit on Other Aspects of the Audit Function 


There are two aspects to consider. One is the effect on other types of 
audit and the other is the effect on the audit function's independence. 


A pre-implementation audit should reduce the number of systems-oriented 
findings that the audit group is likely to identify in future periods, however, it is 
unlikely to eliminate them. There are three reasons for this: It is unlikely that any 
design will be perfect to start with; even if a design is perfect, it is unlikey that it 
will be implemented, maintained and operated exactly as designed; and finally, it is 
unlikely that the orignal environmental conditions or requirements will continue to 
hold true over the entire life of the system. 


Independence is a difficult aspect to deal with as it is very subjective. 
Various auditors and managers will have differing views as to what independence is 
and when it is jeopardized. Guidelines which may prove useful in this context follow: 


(a) Avoid participation in actual design work (this parallels the traditional 
admonishment that auditors not participate in operations that they will 
be expected to audit in the future). 


(b) Specify the need for "key controls" but not what form they should take 
(i.e. specify the "what" and not the "how"). 


(c) Negotiate the groundrules for participation ahead of time such that all 
parties understand and agree on their respective roles - independence 
and objectivity as an intent can be spelled out at that time (for example, 
specify that user managers should provide control objectives, systems 
designers should design the controls, and auditors should advise on the 
adequacy of controls). 


(d) Ensure that the auditor who participates in the pre-implementation 
audit is not the one who performs future post-implementation audits on 
the same system. 


Although the potential for loss of objectivity in performing audits cannot 
be eliminated completely, it can be limited. Judicious control of the degree of 
auditor involvement in pre-implementation audits can minimize both the existence 
and appearance of such loss of objectivity. 


Possible Means of Implementation 


To start with, it is assumed that all departmental/agency internal audit 
policies and plans appropriately reflect provisions for pre-implementation audit in 
accordance with the Standards. 


Other prerequisites to successful implementation of such audits would 
include: a requirement (in departmental/agency policies or directives) that managers 
notify the head of internal audit of all major systems development projects (this 
does not preclude the internal audit group performing its own surveillance through 
review of plans and other relevant documentation and through personal contact 
with managers); a requirement that managers/project leaders invite the internal 
audit group to participate in all major systems development activity (including 
participation in systems development teams, systems development Steering 


astes 


Committees, etc.); active support of senior management for such participation, 
and, the acquisition of a sufficient number of appropriately qualified senior auditors 
who would lend credibility to the systems and to the internal audit function by 

their participation (contracting is an alternative, where resource budgets permit). 


Although a comprehensive guide to pre-implementation auditing is beyond 


the scope of this Paper, some suggestions are presented for your consideration: 


(1) 


(2) 


(3) 


Although it is desirable that the auditor have a background in the subject- 
matter area of the proposed system (e.g. finance, personnel, specific 
program/activity) and in the technology expected to be used in the 

design of the delivery vehicle (e.g. EDP, micrographics) it should be 

kept in mind that the internal auditor's role is that of control not subject- 


matter expert. 


It should be kept in mind that the main difference between pre- 
implementation and post-implementation auditing is one of timing. 
Therefore the methods and techniques used do not change appreciably. 


For example, for the audit of the systems development process the 
relevant criteria would include those provided for project management, 
contracting and EDP systems in the Administrative Policy Manual and 
in the Guide on Financial Administration for Departments and Agencies. 
Also, relevant IACIA Guides (e.g. EDP Audit) are equally usable for 
pre-implementation auditing. 


In the case of pre-implementation audit of the control framework being 
designed into or around the system under development, the starting 
point would be a pre-determined, normative control model, as it is for 
any audit, except that in this case there would be only a paper represen- 
tation of an actual control framework to compare it with, rather than 
the physical one that would exist in the case of a post-implementation 
audit of the system. 


In performing pre-implementation audits two key principles need to be 
kept in mind: 


(i) Every system has to have the means whereby the operator 
and manager of that system can determine whether it is 
performing as intended, i.e. it must have controls. 


(ii) Where the auditor is involved in the pre-implementation 
audit of only one element of the infrastructural framework 
(see Figure 1) the auditor has to be very aware of its relative 
position and role in the hierarchy. It is unreasonable to 
expect the same degree of specificity/precision in the 
specification of objectives, criteria, etc., and associated 
controls at each level. For example, at the highest level 
(legislation), the designers should not be expected to incor- 
porate detailed implementation procedures and performance 
criteria as would be expected at the systems and procedures 
level. What one would expect is progressive elaboration as 
one moves down the hierarchy, and consistency and continuity 
between levels. 


2% 


In general, when an auditor is involved in a pre-implementation audit at 
an intermediate level in the hierarchy, it is important for that auditor 
to become familiar with the role of adjacent (higher, lower and peer 
level) elements in the structure in order to be able to judge consistency 
and continuity. 


(4) The auditors assigned to pre-implementation audits should be those 
senior auditors in the group with the highest level of relevant expertise. 
This is due to the crucial nature (downstream impact) of the entity 
under audit. 


(5) The timing of the start of the auditor's participation should coincide, 
ideally, with the start of the formation of the development team, and 
certainly no later than coincident with the statement of the user's 
requirements. 


(6) The auditors participation in a pre-implementation audit is unlikely to 
be full-time but rather at key points in the development process (e.g. 
at, or just prior to: turnover of user specifications to the systems 
designer, turnover of the systems design to the programmer/procedure 
writer, system testing and cut-over/user acceptance). This type of on- 
off participation may aggrevate the audits manager's resource allocation 
process, however, close collaboration with the systems development 
project leader can minimize the problem. 


(7) The timing of the first post-implementation audit of a new system, or 
major change, should be no sooner than six months after its turnover to 
the user/operator, i.e. after it has progressed from transient to reasonably 
steady state. 


Conclusions 


Pre-implementation audit is a valuable managerial aid. This has been 
recognized in the literature on auditing and reflected in the Standards. 


This type of auditing applies to all major infrastructural mechanisms 
(systems) under development. It encompasses two distinct activities, i.e. audit of 
the development process and audit of the control framework being designed. 


Pre-implementation auditing methods and techniques do not differ radicall 
from normal, post-implementation auditing. However, the skill of the auditor applyinc 
those methods and techniques must be of the highest order because of the downstream 
impact of such an activity. 


dp 


Bibliography 


1. 


Lambrix, Robert J. and Singhui, Surendra S., "Preapproval audits of capital 
projects", Harvard Business Review (March-April 1984). 


Moser, J.W., “Assessing Controls in an Application During System Design", 
].A. Communique (Feb. 1983), Treasury Board of Canada, Comptroller General, 
Internal Audit and Special Studies Division. 


Rittenberg, Larry £., Auditor Independence and Systems Design, the Institute 
of Internal Auditors, Inc., Altamonte Springs, Florida, U.S.A., 1977. 


Stidwell, Joanne, (edited by Donald A. Brown) "Improving the System 
Development Life Cycle", C.A. Magazine. 


The Institute of Internal Auditors, Standards for the Professional Practice of 
Internal Auditing, The Institute of Internal Auditors, Inc., Altamonte Springs, 
Florida, U.S.A., 1978 (latest re-issue Feb. 1984). 


Treasury Board of Canada (Comptroller General), Standards for Internal Audit 
in the Government of Canada, Treasury Board of Canada, 1982. 


Treasury Board of Canada, Administrative Policy Manual, Treasury Board of 
Canada. 


Wysong, Jr., Dr. Earl M., "Using the Internal Auditor for Systems Design 
Projects", Journal of Systems Management (July 1983), Association for Systems 
Management, Cleveland, Ohio, U.S.A. 


4 


Eien 


Vinnie 


Niet i 


